Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. 22.2 The Supplier shall: 22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term); 22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body; 22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data; 22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services; 22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection); 22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 22.2.8 notify the Authority within five (5) Working Days if it receives: (a) a request from a Data Subject to have access to that person's Personal Data; or (b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; 22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (a) providing the Authority with full details of the complaint or request; (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; (c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and (d) providing the Authority with any information requested by the Authority; 22.2.10 The Supplier shall: (a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement; (b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and (c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with: (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and (ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned. 22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 41 contracts
Sources: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect The Referrer shall at all times comply with the provisions and obligations imposed by all applicable laws and regulations relating to the Parties' rights collection, storage, processing and obligations under this Framework Agreementtransfer of data relating to natural persons (collectively, “Data Protection Laws”). To the extent that the Referrer receives from, or processes on behalf of, the Parties agree Company any data relating to natural persons (“Personal Data”) that is subject to applicable Data Protection Laws, the Authority is the Data Controller Referrer shall: process, store, transfer and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the disclose such Personal Data only for purposes of performing the Services and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 Company’s instructions; implement appropriate technical and organisational organizational measures sufficient to protect the secure such Personal Data against unauthorised inadvertent disclosure or unlawful Processing loss and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate unauthorized access; ensure that access to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the such Personal Data and having regard is restricted to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to its personnel, including subcontractors, who are involved in such Referrals; ensure the reliability requirements of this Section 9.1 are included in any Supplier’s Staff agreements with subcontractors who will have access to the Personal Data;
22.2.5 obtain prior Approval from ; strictly comply with all requirements of Data Protection Laws concerning the Authority in order to transfer the of Personal Data to across national and regional borders; inform the Company promptly, and in any Subevent within twenty-Contractors four (24) hours, of any data security breach or Affiliates for the provision unauthorized or inadvertent disclosure of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating take all other steps reasonably required to assist the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance Company in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) any applicable Data Protection Laws; and indemnify, defend, and hold harmless the Company against any and all claims or losses arising out of or resulting from any third-party claim arising out of or resulting from the Referrer's negligent, knowing, or willful failure to comply with all applicable Data Protection Laws. Each Party will provide reports in a mutually agreed form and frequency, including, but not limited to, the number of Referrals made or received and the outcomes for Potential Customers referred to the Company. The Parties shall: keep all books, statements, and electronic data necessary to provide a written description complete record of the technical business conducted by each Party under this Agreement, including, without limitation, complete, accurate, and organisational methods employed up-to-date records of the outcomes for Potential Customers referred by the Supplier Referrer; maintain all materials referenced in Section 10.2.1 above, ensuring they are kept accurate, up-to-date, and available for Processing Personal Data (within the timescales required inspection by the Authority)other Party at all times; and
(c) not cause or permit promptly supply the other Party with any records referenced in Section 10.2.1 above that it reasonably requires; and implement and maintain proper security, technical, and operational measures and procedures to be Processed and/or otherwise transferred outside ensure the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent safe custody and confidentiality of the Authority records referenced in Section 10.2.1 above, preventing unauthorized access or Contracting Body concerned anduse. These records shall be clearly segregated from any other records in the Party’s possession. NEITHER PARTY EXCLUDES OR LIMITS LIABILITY TO THE OTHER PARTY FOR ANY MATTER FOR WHICH LIABILITY CANNOT BE EXCLUDED OR LIMITED BY LAW. IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD-PARTY FOR ANY LOSS OF USE, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic AreaREVENUE, to comply with:
OR PROFIT, OR FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, OR PUNITIVE DAMAGES WHETHER ARISING OUT OF BREACH OF CONTRACT, TORT (iINCLUDING NEGLIGENCE), OR OTHERWISE, REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANY OTHER SECTION OF THIS AGREEMENT, AND SUBJECT TO SECTIONS 11.1 AND 11.2[, AND SAVE FOR [INSERT SECTIONS]], EACH PARTY’S TOTAL AGGREGATE LIABILITY (INCLUSIVE OF INTEREST AND LEGAL AND OTHER COSTS) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
TO THE OTHER IN RESPECT OF ALL CLAIMS ARISING UNDER OR IN CONNECTION WITH THIS AGREEMENT (iiWHETHER DUE TO NEGLIGENCE, BREACH OF CONTRACT OR OTHERWISE) any reasonable instructions notified to it by the Authority or Contracting Body concernedSHALL NOT EXCEED [INSERT SUM]. EACH PARTY SHALL TAKE OUT AND MAINTAIN SUFFICIENT INSURANCE COVERAGE TO COVER ANY PAYMENT THAT MAY BE REQUIRED UNDER THESE TERMS AND SHALL PRODUCE THE POLICY AND RECEIPT FOR PREMIUM PAYMENT UPON REQUEST.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 21 contracts
Sources: Referral Agreement, Referral Agreement, Referral Agreement
Data Protection.
22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Goods and Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Sub- Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed processed and/or otherwise transferred outside the European UK[European Economic Area Area] any Personal Data supplied to it by the Authority or any Other other Contracting Body without the prior written Approval consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 17 contracts
Sources: It Hardware and Solutions Framework Agreement, It Hardware and Solutions Framework Agreement, Framework Agreement
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 Process 23.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process 23.2.2 process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Available Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 23.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Available Goods and Services;
22.2.6 23.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)23;
22.2.7 23.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within five (5) Working Days if it receives:
(a) 23.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.9.1 providing the Authority with full details of the complaint or request;
(b) 23.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) 23.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) 23.2.9.4 providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 23.2.9.5 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 10 contracts
Sources: Goods and Services Framework Agreement, Goods and Services Framework Agreement, Goods and Services Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under 27.1 In this Framework Agreementclause 27, the terms, “processes”, “data controller” and “data processor” shall have the same meanings given to them under Data Protection Legislation.
27.2 The Parties agree acknowledge that for the Authority purposes of Data Protection Legislation, UKRI is the Data Controller data controller and that the Supplier is the Data Processordata processor of any UKRI Personal Data.
22.2 27.3 The Supplier shall:shall itself, and shall procure that the Staff, comply with all Data Protection Legislation in relation to any Personal Data processed.
22.2.1 Process 27.4 Without limiting clauses 27.2 and 27.3, the Supplier shall at all times (and shall ensure that at all times its Staff):
(a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Authority (which may be specific instructions or instructions Term of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Contract the Supplier during shall immediately inform UKRI if, in the Term)Supplier’s opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable Law;
22.2.2 Process (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) have in place a suitably qualified data protection representative to manage the Personal Data;
(d) disclose any Personal Data only on a need to the extent, and in such manner, as it necessary for know basis to Staff directly concerned with the provision of the Services or as is required by Law or any Regulatory BodyGoods and/or Services;
22.2.3 implement (e) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI’s prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇);
(f) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to protect the keep all Personal Data confidential and secure and to protect against unauthorised or unlawful Processing and against processing, accidental loss, destruction, damage, alteration alteration, disclosure or disclosure. These measures shall access;
(g) keep records of their data processing activities performed under this Contract in order to be appropriate able to provide information included in those records to the harm which might result from any unauthorised or unlawful Processingdata protection authorities, accidental lossupon request, destruction or damage including but not limited to the Personal Data and having regard to the nature Information Commissioner. Records should include:
(i) details of the Personal Data which is to be protecteddata controller and data processor and their representatives;
22.2.4 take all reasonable steps to ensure (ii) the reliability categories of any Supplier’s Staff who have access processing activities that are performed;
(iii) information regarding cross-border data transfers; and
(iv) a general description of the security measures that are implemented;
(h) upon request by UKRI, promptly do such other acts in relation to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order , or any part thereof, as UKRI shall request to transfer the Personal Data enable UKRI to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation (i) notify UKRI promptly (and assistance in relation to any at least within 24 hours) if it receives a request from a Data Subject or a complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation relating to a Data Subject (within the timescales and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the Authorityrequest or complaint within any applicable time frames;
(j) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Supplier’s compliance with this clause 27 and the Data Protection Legislation;
(k) on termination or expiry of this Contract, and at any other time on UKRI’s request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(dl) providing notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject Personal Data Breach to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (Information Commissioner and/or those of its agents, subsidiaries and Sub-ContractorsData Subject(s) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with otherwise fulfil its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 6 contracts
Sources: Goods & Services Contract, Contract for the Supply of Services, Contract for the Supply of Installation of Fibre
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 6 contracts
Sources: Courier Services Framework Agreement, Courier Services Framework Agreement, Courier Services Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under 27.1 In this Framework Agreementclause 27, the terms, “processes”, “data controller” and “data processor” shall have the same meanings given to them under Data Protection Legislation.
27.2 The Parties agree acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Service Provider is the data processor of any UKRI Personal Data.
27.3 The Service Provider shall itself, and shall procure that the Authority is the Staff, comply with all Data Controller and that the Supplier is the Protection Legislation in relation to any Personal Data Processorprocessed.
22.2 The Supplier shall:27.4 Without limiting clauses 27.2 and 27.3, the Service Provider shall at all times (and shall ensure that at all times its Staff):
22.2.1 Process the (a) process Personal Data only in accordance with the documented instructions received from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier UKRI and during the Term)Term of this Contract the Service Provider shall immediately inform UKRI if, in the Service Provider’s opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable Law;
22.2.2 Process (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) have in place a suitably qualified data protection representative to manage the Personal Data;
(d) disclose any Personal Data only on a need to the extent, and in such manner, as it necessary for know basis to Staff directly concerned with the provision of the Services or as is required by Law or any Regulatory BodyServices;
22.2.3 implement (e) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI’s prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇);
(f) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to protect the keep all Personal Data confidential and secure and to protect against unauthorised or unlawful Processing and against processing, accidental loss, destruction, damage, alteration alteration, disclosure or disclosure. These measures shall access;
(g) keep records of their data processing activities performed under this Contract in order to be appropriate able to provide information included in those records to the harm which might result from any unauthorised or unlawful Processingdata protection authorities, accidental lossupon request, destruction or damage including but not limited to the Personal Data and having regard to the nature Information Commissioner. Records should include:
(i) details of the Personal Data which is to be protecteddata controller and data processor and their representatives;
22.2.4 take all reasonable steps to ensure (ii) the reliability categories of any Supplier’s Staff who have access processing activities that are performed;
(iii) information regarding cross-border data transfers; and
(iv) a general description of the security measures that are implemented;
(h) upon request by UKRI, promptly do such other acts in relation to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order , or any part thereof, as UKRI shall request to transfer the Personal Data enable UKRI to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation (i) notify UKRI promptly (and assistance in relation to any at least within 24 hours) if it receives a request from a Data Subject or a complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation relating to a Data Subject (within the timescales and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the Authorityrequest or complaint within any applicable time frames;
(j) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Service Provider’s compliance with this clause 27 and the Data Protection Legislation;
(k) on termination or expiry of this Contract, and at any other time on UKRI’s request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(dl) providing notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject Personal Data Breach to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (Information Commissioner and/or those of its agents, subsidiaries and Sub-ContractorsData Subject(s) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with otherwise fulfil its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 6 contracts
Sources: Facilities Management Services Contract, Facilities Management Services Contract, Facilities Management Services Contract
Data Protection. 22.1 With respect to [REMEMBER THIS IS THE NON-DATA PROCESSING CONTRACT – IF THE SERVICE INVOLVES DATA PROCESSING THE ALTERNATIVE STANDARD CONTRACT MUST BE USED]
23.1 Both parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 23 is in addition to, and does not relieve, remove or replace, a party’s obligations under this Framework Agreementthe Data Protection Legislation.
23.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority is the Data Controller and Controller. The only processing that the Supplier is authorised to do by the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only Authority is in accordance with written instructions from and may not be determined by the Supplier.
23.3 Without prejudice to the generality of clause 23.1, the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 will ensure that it has all Supplier Staff required necessary appropriate consents and notices in place to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any enable lawful transfer of the Personal Data to the Supplier, if required, for the duration and purposes of this agreement.
23.4 Without prejudice to the generality of clause 23.1, the Supplier shall, in relation to any third party unless directed Personal Data processed in writing to do so connection with the performance by the Supplier of its obligations under this agreement:
(a) process Personal Data only on the written instructions of the Authority;
22.2.8 (b) the Supplier’s personnel do not process Personal Data except in accordance with this Agreement;
(c) if requested, provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Supplier is able to comply with its obligations under the Data Protection Legislation;
(d) notify the Authority within five (5) Working Days immediately if it receives:
(ai) a request from a Data Subject to have access to that person's ’s Personal Data; or;
(bii) a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or request communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner);
(e) assist the Authority in responding to any request from a Data Subject and in ensuring compliance with the Authority’s obligations under the Data Protection Legislation;
(f) ensure it does not knowingly or negligently do or omit to do anything which places the Authority in breach of the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(dg) providing notify the Authority immediately and in any event within 24 hours on becoming aware of a Personal Data breach.
23.5 Any written instructions issued in accordance with any information requested by this clause 23 will include detailed requirements in relation to Data Processing.
23.6 The provisions of this clause shall apply during the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description continuance of the technical agreement and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause indefinitely after its expiry or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtermination.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 5 contracts
Sources: Contract for the Provision of Services, Contract for the Provision of Services, Contract for the Provision of Services
Data Protection. 22.1 With respect 15.2.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
15.2.2 To the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and extent that the Supplier is acting as a Data Processor on behalf of the Data Processor.
22.2 The Company, the Supplier shall, in particular, but without limitation:
22.2.1 Process the (a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this Agreement, and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)Company under this Agreement;
22.2.2 Process the Personal Data only to the extent, and (b) put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data and/or Sensitive Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and and/or Sensitive Personal Data having regard to the nature specific requirements in this Agreement, the state of technical development and the level of harm that may be suffered by a Data Subject whose Personal Data which and/or Sensitive Personal Data is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 (c) take all reasonable steps to ensure the reliability of staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data;
(d) provide the Company with such information as the Company may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA;
(e) promptly notify the Company of any Supplier’s Staff who have requests for disclosure of or access to the Personal Data and/or Sensitive Personal Data;
22.2.5 obtain prior Approval from (f) promptly notify the Authority in order to transfer the Personal Data to Company of any Sub-Contractors or Affiliates for the provision breach of the Servicessecurity measures required to be put in place pursuant to this clause 15.2.2;
22.2.6 (g) ensure it does not knowingly or negligently do or omit to do anything which places the Company in breach of its obligations under the DPA;
(h) to the extent that any Company data is held and/or processed by the Supplier, the Supplier shall supply that Company data to the Company as requested by the Company.
(i) ensure that all it is registered under the DPA and the registration covers any processing required under this Agreement.
15.2.3 The Supplier Staff required to access and the Personal Data are informed of the confidential nature of the Company shall ensure that Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Sensitive Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and is safeguarded at all times in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedlaw.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 5 contracts
Sources: Vendor and Supplier Contracts, Services Agreements, Services Agreement
Data Protection. 22.1 With respect to 16.1. The Supplier acknowledges that Personal Data described in the Parties' rights and obligations under this Framework Agreementscope of Schedule 9 (Data Protection) may be Processed in performance of the Contract. For the purposes of any such Processing, the Parties agree that the Authority is Supplier acts as the Data Controller Processor and the Purchaser acts as the Data Controller.
16.2. Both Parties agree to negotiate in good faith any such amendments to this Contract that may be required to ensure that both Parties meet all their obligations under Data Protection Laws. The provisions of this clause 16 are without prejudice to any obligations and duties imposed directly on the Supplier is under Data Protection Laws and the Supplier hereby agrees to comply with those obligations and duties.
16.3. The Supplier will, in conjunction with the Purchaser and in its own right and in respect of the Contract, make all necessary preparations to ensure it will be compliant with Data Protection Laws.
16.4. The Supplier will provide the Purchaser with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under the Data ProcessorProtection Laws.
22.2 16.5. The Supplier shallmust:
22.2.1 Process the 16.5.1. process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions from given by the Authority Purchaser (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement nature), including with regard to transfers of Personal Data outside the United Kingdom unless required to do so by law or as otherwise notified by the Authority Regulatory Body to which the Supplier during is subject; in which case the Term);
22.2.2 Process Supplier must, unless prohibited by that law, inform the Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner, manner as it is necessary for the provision performance of the Services Supplier’s obligations under this Contract or as is required by Law or any Regulatory Bodythe Law;
22.2.3 16.5.2. subject to clause 16.5.1 only process or otherwise transfer any Personal Data in or to any country outside the United Kingdom with the Purchaser’s prior written consent;
16.5.3. take all reasonable steps to ensure the reliability and integrity of any Supplier Representatives who have access to the Personal Data and ensure that the Supplier Representatives:
(a) are aware of and comply with the Supplier’s duties under this Clause;
(b) are subject to appropriate confidentiality undertakings with the Supplier or the relevant Sub-contractor;
(c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Purchaser or as otherwise permitted by this Contract; and
(d) have undergone adequate training in the use, care, protection and handling of Personal Data.
16.5.4. implement appropriate technical and organisational measures including those set in accordance with Article 32 of the GDPR to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These , such measures shall be being appropriate to the harm which might result from any unauthorised or unlawful Processing, Processing accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected.;
22.2.4 take all reasonable steps 16.6. The Supplier shall not engage a sub-contractor to ensure carry out Processing in performance of the reliability Contract without prior specific or general written authorisation from the Purchaser. In the case of general written authorisation, the Supplier must inform the Purchaser of any Supplier’s Staff who have access intended changes concerning the addition or replacement of any other sub-contractor and give the Purchaser an opportunity to object to such changes.
16.7. If the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any SubSupplier engages a sub-Contractors or Affiliates contractor for the provision carrying out Processing activities on behalf of the Services;
22.2.6 Purchaser, the Supplier must ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the same data protection obligations as set out in this Clause 22 (Data Protection);
22.2.7 ensure that none Contract are imposed on the sub-contractor by way of Supplier’s Staff publisha written and legally binding contract, disclose or divulge any in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier shall remain fully liable to the Purchaser for the performance of the Personal Data sub-contractor’s performance of the obligations.
16.8. The Supplier must provide to any third party unless directed the Purchaser reasonable assistance including by such technical and organisational measures as may be appropriate in writing to do so by complying with Articles 12-23 of the Authority;GDPR.
22.2.8 16.9. The Supplier must notify the Authority within five (5) Working Days Purchaser if it receivesit:
(a) a request from receives a Data Subject to have access to that person's Personal Data; orAccess Request (or purported Data Subject Access Request);
(b) receives a request to rectify, block or erase any Personal Data;
(c) receives any other request, complaint or request communication relating to the Authorityeither Party's obligations under the Data Protection LegislationLaws;
22.2.9 provide (d) receives any communication from the Supervisory Authority or any other regulatory authority in connection with full cooperation Personal Data processed under this Contract; or
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulatory order; and assistance such notification must take place as soon as is possible but in relation any event within 3 business days of receipt of the request or any other period as agreed in writing with the Purchaser from time to any complaint or request madetime.
16.10. Taking into account the nature of the Processing and the information available, including bythe Supplier must assist the Purchaser in complying with the Purchaser’s obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations in accordance with Articles 32 to 36 of the GDPR. These obligations include:
(a) providing ensuring an appropriate level of protection through technical and organisational measures that take into account the Authority with full details circumstances and purposes of the complaint or request;processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
(b) complying with notifying a data access request within Personal Data breach to the relevant timescales set out in the Data Protection Legislation Purchaser without undue delay and in accordance with the Authority's instructionsany event no later than 24 hours after becoming aware of a Personal Data breach;
(c) providing assisting the Authority Purchaser with any Personal Data it holds in relation communication of a personal data breach to a Data Subject (within the timescales required by the Authority; andSubject;
(d) providing supporting the Authority Purchaser with any information requested by the Authoritypreparation of a data protection impact assessment;
22.2.10 The (e) supporting the Purchaser with regard to prior consultation of the Supervisory Authority.
▇▇.▇▇. ▇▇ the termination or expiry of the Contract the Supplier shall:
(a) permit must, on written instruction of the Authority Purchaser, delete or the Authority’s Representative (subject return to the reasonable Purchaser all Personal Data and appropriate confidentiality undertakings), delete existing copies unless law to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that which the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description subject requires storage of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedData.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 4 contracts
Sources: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 17.1. With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 Processor in relation to Authority Personal Data. The Supplier shall:shall (and shall procure that Staff) comply with any notification requirements under the Data Protection Legislation
22.2.1 Process 17.2. Notwithstanding the general obligation in Clause 17.1, where the Supplier is Processing any Authority Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the security of the Authority Personal Data (and to guard against unauthorised or unlawful Processing of the Authority Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagethe Authority Personal Data), alteration or disclosure. These measures shall be appropriate as required under the ‘Seventh Data Protection Principle’ in schedule 1 to the harm which might result from Data Protection ▇▇▇ ▇▇▇▇ and shall:
17.2.1. provide the Authority with such information as the Authority may reasonably request to satisfy itself that the Supplier is complying with its obligations under the Data Protection Legislation;
17.2.2. promptly notify the Authority of any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature breach of the Personal Data which is security measures to be protectedput in place pursuant to this Clause 17.2;
22.2.4 17.2.3. ensure that it does not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the Data Protection Legislation;
17.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Authority Personal Data;
22.2.5 17.2.5. obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 17.2.6. ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)17;
22.2.7 17.2.7. ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 17.2.8. notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;; and
22.2.9 17.2.9. provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to the Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;.
22.2.10 17.3. The Supplier shall:
(a) permit the Authority shall not Process or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data supplied in or to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer anywhere outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall propose a variation to comply withthe Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause Error! Reference source not found. (Variation rocedure) and Clauses 1.1.1(b) to 1.1.1(d);
(b) the Supplier shall set out in its proposal to the Authority for a Variation, details of the following:
(i) the obligations of a Personal Data Controller under which will be transferred to and/or Processed in or to any Restricted Countries;
(ii) the Eighth Restricted Countries to which the Personal Data Protection Principle set out will be transferred and/or Processed; and
(iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Schedule 1 of Restricted Countries;
(iv) how the Data Protection Act 1998 by providing Supplier will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA;
(c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and
(ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority on such terms as may be required by the Authority; or
(B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority or Contracting Body concernedand the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 17.4. The Supplier shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority’s obligations under the Data Protection Legislation.DPA to the extent
Appears in 4 contracts
Sources: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect 14.1 The SERVICE PROVIDER‟s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CLIENT and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
14.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CLIENT, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CLIENT (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CLIENT to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 14.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CLIENT in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCLIENT;
22.2.8 14.2.8 notify the Authority CLIENT (within five (5) Working Days Days) if it receives:
(a) 14.2.8.1 a request from a Data Subject to have access to that person's person‟s Personal Data; or
(b) 14.2.8.2 a complaint or request relating to the Authority's CLIENT‟s obligations under the Data Protection LegislationRequirements;
22.2.9 14.2.9 provide the Authority CLIENT with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 14.2.9.1 providing the Authority CLIENT with full details of the complaint or request;
(b) 14.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CLIENT‟s instructions;
(c) 14.2.9.3 providing the Authority CLIENT with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCLIENT); and
(d) 14.2.9.4 providing the Authority CLIENT with any information requested by the AuthorityCLIENT;
22.2.10 The Supplier shall:
(a) 14.2.10 permit the Authority CLIENT or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CLIENT to enable the Authority CLIENT to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract;
(b) 14.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCLIENT); and
(c) 14.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CLIENT and, where the Authority or Other Contracting Body concerned CLIENT consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 14.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 14.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCLIENT.
22.2.11 14.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CLIENT to breach any of its applicable obligations under the Data Protection LegislationRequirements.
14.4 The CLIENT may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CLIENT such information as the CLIENT may reasonably require relating to:
14.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER‟s obligations under this Contract in connection with the Processing of Personal Data; and/or
14.4.2 the rights of Data Subjects, including but not limited to subject access rights.
14.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CLIENT or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
14.6 With respect to the parties‟ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CLIENT is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 28, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CLIENT, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 28 relating to the appointment of Sub-Contractors, the CLIENT hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CLIENT‟S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CLIENT in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-7, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-7.
14.7 Save as set out in this Clause 14, any unauthorised Processing, use or disclosure of personal data by the SERVICE PROVIDER is strictly prohibited.
14.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CLIENT against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CLIENT which arise directly or in connection with the SERVICE PROVIDER‟s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 4 contracts
Sources: Contract for Legal Services, Contract, Contract for Legal Services
Data Protection. 22.1 With respect to the Parties' rights 35.1 The Contractor shall (and obligations under this Framework Agreement, the Parties agree shall procure that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only all of its staff involved in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or Agreement) comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and any other applicable data protection legislation.
35.2 Notwithstanding the general obligation in Clause 35.1, where the Contractor is processing personal data (as is required defined by Law or any Regulatory Body;
22.2.3 implement the DPA) as a data processor for the Authority (as defined by the DPA) the Contractor shall ensure that it has in place appropriate technical and organisational contractual measures to protect ensure the Personal Data security of the personal data (and to guard against unauthorised or unlawful Processing processing of the personal data and against accidental lossloss or destruction of, destructionor damage to, damagethe personal data), alteration or disclosure. These measures shall be appropriate as required under the Seventh Data Protection Principle in Schedule 1 to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage DPA; and
35.2.1 to maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Authority by the Seventh Principle;
35.2.2 only to process Personal Data for and having regard to the nature on behalf of the Personal Data which is Authority, in accordance with the instructions of the Authority and for the purpose of performing the Services in accordance with the Contract and to be protectedensure compliance with the DPA;
22.2.4 take all reasonable steps 35.2.3 to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from allow the Authority in order to transfer audit the Personal Data Contractor's compliance with the requirements of this Clause 35 on reasonable notice and/or to any Sub-Contractors or Affiliates for provide the provision Authority with evidence of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply its compliance with the obligations set out in this Clause 22 (Data Protection)35;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 35.2.4 promptly notify the Authority within five (5) Working Days if of any breach of the security measures required to be put in place; and
35.2.5 ensure that it receives:
(a) a request from a Data Subject does not knowingly or negligently do or omit to have access to that person's Personal Data; or
(b) a complaint or request relating to do anything which places the Authority's Authority in breach of the Authority‟s obligations under the Data Protection Legislation;DPA.
22.2.9 provide 35.3 Subject to Clause 19, the Contractor agrees to indemnify and keep indemnified the Authority with full cooperation against all claims and assistance proceedings and all liability, loss, costs and expenses incurred in relation connection therewith by the Authority as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Contractor's unauthorised processing, unlawful processing, destruction of and/or damage to any complaint Personal Data processed by the Contractor, its employees or request madeagents in the Contractor's performance of the Contract or as otherwise agreed between the Parties.
35.4 Both Parties agree to use reasonable efforts to assist each other to comply with the DPA. For the avoidance of doubt, including by:
(a) this includes the Contractor providing the Authority with full details assistance in complying with subject access requests served on the Authority under Section 7 of the complaint or request;
(b) complying with a data access request within DPA and the relevant timescales set out in the Data Protection Legislation and in accordance Contractor consulting with the Authority's instructions;
(c) providing Authority prior to the Authority with disclosure by the Contractor of any Personal Data it holds in relation to a Data Subject (within such requests.
35.5 The provisions of this Clause 35 shall apply during the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description continuance of the technical Contract and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause indefinitely after its expiry or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtermination.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Sources: Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme, Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme, Contract for the Provision of Educational Inputs to the NHS Graduate Management Training Scheme
Data Protection. 22.1 21.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree parties acknowledge that the Authority is Authorities will be acting as both Data Controllers and Data Processors according to circumstance during the Data Controller and that term of the Supplier is the Data ProcessorAgreement.
22.2 21.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 Authorities will take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff employees who have access to Personal Data and ensure that employees:
(i) are aware of and comply both the Personal DataAuthority’s Data Controller duties and with the Authority’s Data Processor duties under this Agreement;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (ii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityData Controller Authority or as otherwise permitted by this Agreement; and
(iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
22.2.8 21.3 When an Authority is acting as Data Processor it shall:
(i) process the Personal Data only in accordance with instructions from the Authority who is the Data Controller,
(ii) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data,
(iii) not disclose or transfer the Personal Data to any third party or Supplier unless necessary for the provision of the Services and,
(iv) notify the Authority Data Controller within five (5) 3 Working Days if it receives:
(a) a request receives from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request);
(v) a request to have access to that person's rectify, block or erase any Personal Data; or
(b) a or any other request, complaint or request communication relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 (vi) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
(vii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;
(viii) provide the Authority Data Controller with full cooperation and assistance (within the timescales reasonably required by that Authority) in relation to any complaint complaint, communication or request made, made including by:
(a) by promptly providing the that Authority with full details and copies of the complaint complaint, communication or request;
(b) complying request and where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;DPA.
(c) providing the Authority with 21.4 The Authorities agree that they shall not Process or otherwise transfer any Personal Data it holds in relation or to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred country outside the European Economic Area or any Personal Data supplied to it country not deemed adequate by the Authority or any Other Contracting Body without the prior written consent European Commission pursuant to Article 25(6) of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents Directive 95/46/EC.
21.5 The Authorities shall use their reasonable endeavours to Processing and/or transfer outside the European Economic Area, assist each other to comply with:
(i) the with any obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation DPA and shall not perform its their obligations under this Framework Agreement in such a way as to cause the other Authority to breach any of its applicable obligations under the Data Protection LegislationDPA to the extent the Authority is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 3 contracts
Sources: Collaboration Agreement, Collaboration Agreement, MKS Model Shared Service Collaboration Agreement
Data Protection. 22.1 With respect 18.1 The Executive shall at all times during the Appointment adhere to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any policy introduced by the Authority Company from time to the Supplier during the Term);
22.2.2 Process the Personal Data only time to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out DPA or equivalent legislation in any other relevant jurisdiction. Breach of this Clause 22 undertaking will constitute a disciplinary offence.
18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the personal data it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose both during and after the Appointment) or divulge any for the conduct of the Personal Data Group’s business or to comply with applicable law, rules and regulations (the “Authorised Purposes”) and the Executive agrees to provide the Group with all personal data relating to her which is necessary or reasonably required for the Authorised Purposes.
18.3 The Executive explicitly consents to the Company or any other Group Company processing her personal data, including her sensitive personal data, where this is necessary or reasonably required to achieve one or more of the Authorised Purposes.
18.4 The Executive acknowledges that the Company may, from time to time collect or disclose her personal data (including her sensitive personal data) from and to third party unless directed in writing to do so parties (including without limitation the Executive’s referees, any management consultants or computer maintenance companies engaged by the Authority;
22.2.8 notify Company, the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Company’s professional advisers, other Group Companies, any suppliers of goods or request relating services to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Group and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details potential purchasers of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required business carried on by the Authority; and
(d) providing Company and/or the Authority Group). The Executive consents to such collection and disclosure even where this involves the transfer of such data, with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)safeguards, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area where this is necessary or reasonably required to achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders.
18.5 The Company agrees to process any Personal Data supplied personal data made available to it by the Authority or any Other Contracting Body without Executive in accordance with the prior written consent provisions of the Authority or Contracting Body concerned and, where DPA.
18.6 this clause “data controller” “personal data” “processing” and “sensitive personal data” shall have the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle meaning set out in Schedule section 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedDPA.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Sources: Service Agreement (Eros International PLC), Service Agreement (Eros International PLC), Service Agreement (Eros International PLC)
Data Protection. 22.1 With respect 2.1 The Parties acknowledge their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. For the Parties' rights avoidance of doubt, the Supplier shall take reasonable steps to ensure it is familiar with the Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations.
2.2 To the extent that the nature of this Framework Agreement means that the Parties are acting both as Controllers, each Party undertakes to comply at all times with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller Protection Legislation and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process 2.2.1 implement such measures and perform its obligations (as applicable) in compliance with the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Protection Legislation;
22.2.2 Process 2.2.2 be responsible for determining its data security obligations taking into account the Personal state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data only to the extentSubjects, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to loss and ensure the protection of the rights of the Data Subject, in such a manner that Processing will meet the requirements of the Data Protection Legislation where Personal Data has been transmitted by it, or while the Personal Data and having regard is in its possession or control;
2.2.3 where appropriate, promptly refer to the nature other Party any requests, from (i) Data Subjects in regards to the right of the access to Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure by that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under in accordance with the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) the Information Commissioner; or (iii) any other law enforcement authority and to the extent it is reasonable instructions notified and practical to it by do so consult with the Authority or Contracting Body concernedother Party (for the avoidance of doubt at no additional cost) before responding to such request.
22.2.11 The Supplier shall comply at all times 2.3 Where Personal Data is shared between the Parties, each acting as Controller:
2.3.1 the Data Transferor warrants and undertakes to the Data Recipient that such Personal Data has been collected, Processed and transferred in accordance with the Data Protection Legislation and shall not perform this Clause 2 of this Schedule 3;
2.3.2 the Data Recipient will Process the Personal Data in accordance with the Data Protection Legislation and this Clause 2 of this Schedule 3; and
2.3.3 where the Data Recipient is in breach of its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under Schedule 3 and the Data Protection Legislation, the Data Transferor may temporarily suspend the transfer of the Personal Data to the Data Recipient until the breach is repaired.
2.4 The Supplier and the Authority shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes).
2.5 The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data in connection with this Framework Agreement.
Appears in 3 contracts
Sources: Framework Agreement, Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect 3.2.1 The Parties’ attention is drawn to the Parties' rights Data Protection ▇▇▇ ▇▇▇▇, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (the “Data Protection Requirements”). The End-User acknowledges that Royal Mail is the data controller in respect of any personal data in the Data. Royal Mail and the Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that the Supplier is the Data Processor.
22.2 The Supplier it shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Personal Data against unauthorised accidental or unlawful Processing and against destruction or accidental loss, destructionalteration, damage, alteration unauthorised disclosure or disclosure. These measures shall be appropriate access;
3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the harm which might result personal data within the Data from data subjects, the Information Commissioner or any unauthorised or unlawful Processingother law enforcement authority, accidental lossfor Royal Mail to resolve;
3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, destruction or damage in relation to the Personal Data and having regard personal data within the Data, with the rights of data subjects, including subject access rights, or with information notices served by the Information Commissioner; and
3.2.1.4 ensure that if, during the term of this Licence Agreement, it intends to make any transfers of personal data within the nature of the Personal Data which is are not European Commission Approved Transfers, then it shall, prior to be protected;
22.2.4 take all reasonable steps any such transfer, obtain Royal Mail’s consent and at the End-User’s own cost provide such further information and sign such further documents, agreements or deeds as Royal Mail may require to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision adequate protection of the Services;
22.2.6 ensure that all Supplier Staff required personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out them in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned▇▇▇ ▇▇▇▇.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 3 contracts
Sources: Data Licence Agreement, Data Licence Agreement, Data Licence Agreement
Data Protection. 22.1 With respect 30.1 For the purposes of this Clause 30, the terms "Data Controller", "Data Processor", “Data Subject” "Personal Data", "Process" and "Processing" shall have the meaning prescribed under the DPA
30.2 The Provider shall (and shall procure that all of its Staff and Sub-Contractors and/or Agents) comply with any notification requirements under the DPA and all Parties will duly observe all of their obligations under the DPA which arise in connection with this Contract.
30.3 The Provider shall not disclose Personal Data to any third parties other than:
30.3.1 to staff, Sub-Contractors and agents to whom such disclosure is reasonably necessary in order to perform the Agreement; or
30.3.2 to the Parties' rights and obligations extent required under this Framework Agreementa court order
30.4 Notwithstanding the general obligation in Clause 30.1, where the Parties agree that Provider is processing Personal Data as a Data Processor for the Authority is Customer the Data Controller and that the Supplier is the Data Processor.Provider shall:-
22.2 The Supplier shall:
22.2.1 30.4.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature Customer as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier during the Term)Customer;
22.2.2 30.4.2 comply with all applicable laws;
30.4.3 Process the Personal Data only to the extent, and in such manner, manner as it is necessary for the provision of the Services or as is required by Law or any Regulatory BodyProvider's obligations under the Agreement;
22.2.3 30.4.4 implement appropriate technical and organisational measures to ensure the security of the Authorised Personal Data (and to guard against unauthorised or unlawful processing of the personal data) as required under the “Seventh Data Protection Principle” and protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 30.4.5 take all reasonable steps to ensure the reliability of any Supplier’s Staff its employees and agents who may have access to the Personal Data and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 30.4.6 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) Provider shall not cause or permit to be Processed processed, stored, accessed and/or otherwise transferred outside the European Economic Area any Personal Data or other Personal Data supplied to it by LPP or the Authority or any Other Contracting Body without Customer, as the prior written consent of the Authority or Contracting Body concerned case may be, and, where LPP and/or the Authority or Other Contracting Body concerned Customer consents to Processing such processing, storage, access and/or transfer outside the European Economic Area, to shall comply with:
(i) with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection protection.
30.4.7 not disclose the Personal Data to any Personal Data that is transferredthird parties in any circumstances other than with the written consent of the Customer or in compliance with a legal obligation imposed upon the Customer; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Dynamic Purchasing System Agreement, Dynamic Purchasing System Agreement
Data Protection. 22.1 With respect 27.1 In this clause 27, the terms, “processing”, “data controller” and “data processor”, “data protection officer” “data subject” “personal data” “personal data breach” shall have the same meanings given to them under UK GDPR or the EU GDPR as the context requires.
27.2 The Supplier acknowledges the only Processing that it is authorised to do is listed in Schedule 7 (Processing Personal Data) by UKRI.
27.3 The Supplier shall notify UKRI immediately if it considers that any of UKRI’s instructions infringe the Data Protection Legislation.
27.4 The Supplier shall provide all reasonable assistance to UKRI in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of UKRI, include:
27.4.1 a systematic description of the envisaged Processing and the purpose of the Processing;
27.4.2 an assessment of the necessity and proportionality of the Processing in relation to the Parties' Goods and/or Services;
27.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
27.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
27.5 The Supplier shall, in relation to any Personal Data Processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallContract:
22.2.1 27.5.1 Process the that Personal Data only in accordance with instructions from the Authority Schedule 7 (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Processing Personal Data), unless the Supplier during is required to do otherwise by Law. If it is so required the Term);
22.2.2 Process Supplier shall notify UKRI before Processing the Personal Data only unless prohibited by Law;
27.5.2 ensure that it has in place Protective Measures, (if the Supplier is holding UKRI Data, including back-up data, that it is held by a secure system that complies with the Security Policy and any applicable Security Management Plan) which UKRI may reasonably reject (but failure to the extent, and in such manner, as it necessary for the provision reject shall not amount to approval by UKRI of the Services or as is required by Law or any Regulatory Body;adequacy of the Protective Measures) having taken account of the:
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the a) nature of the Personal Data which is data to be protected;
22.2.4 take b) harm that might result from a Personal Data Breach;
c) state of technological development; and
d) cost of implementing any measures;
27.5.3 ensure that:
a) the Supplier Staff do not Process Personal Data except in accordance with the Contract (and in particular Schedule 7 (Processing Personal Data));
b) it uses all reasonable steps endeavours to ensure the reliability and integrity of any Supplier’s Supplier Staff who have access to the Personal DataData and ensure that they:
(i) are aware of and comply with the Supplier’s duties under this Clauses 28 and 25;
22.2.5 obtain prior Approval from (ii) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Subsub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (iii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by UKRI or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the Authorityuse, care, protection and handling of Personal Data;
22.2.8 notify 27.5.4 not transfer Personal Data outside of the Authority within five (5) Working Days if it receivesUK unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
(a) a request from a Data Subject to have access to that person's Personal Datathe transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(b) a complaint UKRI or request relating the Supplier has provided appropriate safeguards in relation to the Authority's transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by UKRI which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures determined by UKRI;
c) the Data Subject (as defined by the Data Protection Act 2018) has enforceable rights and effective legal remedies;
d) the Supplier complies with its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist UKRI in meeting its obligations); and
(iie) the Supplier complies with any reasonable instructions notified to it in advance by UKRI with respect to the Processing of the Personal Data;
27.5.5 where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Authority non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or Contracting Body concerned.such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party;
22.2.11 The Supplier shall comply at all times c) the Data Subject has enforceable rights and effective legal remedies;
d) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
e) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
27.5.6 at the written direction of UKRI, delete or return Personal Data (and any copies of it) to UKRI on termination of this Contract unless the Supplier is required by Law to retain the Personal Data.
27.6 Subject to Clause 28.7, the Supplier shall not perform its obligations notify UKRI immediately if in relation to it Processing Personal Data under or in connection with this Framework Agreement in such Contract it:
27.6.1 receives a way as Data Subject Access Request (or purported Data Subject Access Request);
27.6.2 receives a request to cause the Authority rectify, block or erase any Personal Data;
27.6.3 receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
27.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under the Contract;
27.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
27.6.6 becomes aware of a Personal Data Breach.
27.7 The Supplier’s obligation to notify under Clause 28.6 shall include the provision of further information to UKRI, as details become available.
27.8 Taking into account the nature of the Processing, the Supplier shall provide UKRI with assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 28.6 (and insofar as possible within the timescales reasonably required by UKRI) including by immediately providing:
27.8.1 UKRI with full details and copies of the complaint, communication or request;
27.8.2 such assistance as is reasonably requested by UKRI to enable it to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
27.8.3 UKRI, at its request, with any Personal Data it holds in relation to a Data Subject;
27.8.4 assistance as requested by UKRI following any Personal Data Breach; and/or
27.8.5 assistance as requested by UKRI with respect to any request from the Information Commissioner’s Office or any other regulatory authority, or any consultation by UKRI with the Information Commissioner's Office or any other regulatory authority.
27.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with Clause 28. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:
27.9.1 UKRI determines that the Processing is not occasional;
27.9.2 UKRI determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
27.9.3 UKRI determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
27.10 The Supplier shall allow for audits of its Data Processing activity by UKRI or UKRI’s designated auditor.
27.11 The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
27.12 Before allowing any sub-processor to process any Personal Data related to the Contract, the Supplier must:
27.12.1 notify UKRI in writing of the intended sub-processor and processing;
27.12.2 obtain the written consent of UKRI;
27.12.3 enter into a written agreement with the sub-processor which give effect to the terms set out in this Clause 28 such that they apply to the sub-processor; and
27.12.4 provide UKRI with such information regarding the sub-processor as UKRI may reasonably require.
27.13 To the extent that UKRI provides its consent pursuant to clause 28.12, the Supplier shall flow down the contractual obligations contained in this clause 28 to sub- processors. For the avoidance of doubt, the Supplier shall remain fully liable for all acts or omissions of any of its sub-processor.
27.14 UKRI may, at any time on not less than 30 Working Days’ notice, revise this Clause 28 by replacing it with any applicable controller to Supplier standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
27.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. UKRI may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 2 contracts
Sources: Contract for Supply of Goods, Contract for Supply of Goods
Data Protection. 22.1 With respect 18.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 18 is in addition to, and does not relieve, remove or replace a party’s obligations under the Data Protection Legislation.
18.2 The parties have determined for the purposes of the Data Protection Legislation, that to the Parties' rights extent that VCG processes any personal data on behalf of the Customer in connection with the provision of the Supplies, the Customer is the controller and VCG is the processor of that personal data (where "controller" and "processor" have the meanings as defined in the Data Protection Legislation).
18.3 Without prejudice to the generality of clause 18.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of Personal Data (as defined in the Data Protection Legislation) to VCG for the duration and purposes of each Contract.
18.4 VCG shall, in relation to any Personal Data processed on behalf of the Customer, in connection with the performance by VCG of its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shalleach Contract:
22.2.1 Process 18.4.1 only process that Personal Data for the purpose of performing its obligations under the Contract;
18.4.2 process the Personal Data only in accordance with instructions from on the Authority (which may be specific instructions or written instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as Customer unless VCG is required by Law or any Regulatory Bodylaws applicable to VCG to process Personal Data (“Applicable Data Processing Laws”). Where VCG is relying on Applicable Data Processing Laws as the basis for processing Personal Data, VCG shall, where permitted, promptly notify the Customer of this before performing the processing required by the Applicable Data Processing Laws;
22.2.3 implement 18.4.3 ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing of that Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagethat Personal Data, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any the unauthorised or unlawful Processing, processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Personal Data can be restored in a timely manner after an incident, and having regard to regularly assessing and evaluating the nature effectiveness of the Personal Data which is to be protectedtechnical and organisational measures adopted by it);
22.2.4 take 18.4.4 ensure that all reasonable steps to ensure the reliability of any Supplier’s Staff personnel who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access and/or process the Personal Data are informed of the confidential nature of obliged to keep the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)confidential;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge 18.4.5 not transfer any of the Personal Data outside of the UK/ European Economic Area unless the following conditions are fulfilled:
18.4.5.1 the Customer or VCG has provided appropriate safeguards in relation to any third party unless directed in writing to do so by the Authoritytransfer;
22.2.8 notify 18.4.5.2 the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or(as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies;
(b) a complaint or request relating to the Authority's 18.4.5.3 VCG complies with its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any 18.4.5.4 VCG complies with reasonable instructions notified to it in advance by the Authority or Contracting Body concerned.Customer with respect to the processing of the Personal Data;
22.2.11 The Supplier shall comply 18.4.6 assist the Customer, at all times the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationLegislation with respect to security, breach notifications, impact assessment and consultations with supervisory authorities or regulators;
18.4.7 notify the Customer without undue delay on becoming aware of a Personal Data breach;
18.4.8 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Data Processing Law to store the Personal Data; and
18.4.9 maintain complete and accurate records and information to demonstrate its compliance with this clause 18.4.
18.5 The Customer consents to VCG appointing any necessary third-party processor of Personal Data under each Contract. VCG confirms that it has entered or (as the case may be) will enter with the third-party into a written agreement substantially on the same terms as set out in clause 18.4 and this clause 18.5. As between the Customer and VCG, VCG shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 18.5.
18.6 VCG may, at any time on not less than 30 days’ notice to the Customer, revise this clause 18 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Agreement).
Appears in 2 contracts
Sources: Master Services Agreement, Master Services Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority 17.1. The Customer is the Controller for the Personal Data Controller and that the Supplier DRC is the Data Processor.
22.2 Processor for the Personal Data. The Supplier shall:
22.2.1 Process Processor agrees to process the Personal Data only in accordance with Data Protection Legislation.
17.2. The Parties acknowledge that the Processor may process Personal Data on behalf of the Controller during the term of this Agreement.
17.3. To the extent that the Processor processes Personal Data on behalf of the Controller in connection with this Agreement, the Processor shall:
17.3.1. Solely process the Personal Data for the purposes of fulfilling its obligations under this Agreement and in compliance with the Controller’s written instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or and as otherwise notified may be specified from time to time in writing by the Authority Controller.
17.3.2. Notify the Controller immediately if any instructions of the Controller relating to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision processing of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of unlawful.
17.3.3. Assist the confidential nature of the Personal Data and comply Controller in ensuring compliance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any Articles 32 to 36 of the GDPR taking into account the nature of the data processing undertaken by the Processor and the information available to the Processor, including (without limitation):
17.3.3.1. Not engage with any Sub-Processor/Sub- Contractor to carry out any processing of Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority Controller (such consent not to be unreasonably withheld), provided that notwithstanding any such consent the Processor shall remain liable for compliance with all of the requirements of this Agreement including in relation to the processing of Personal Data.
17.4. The Processor shall ensure that any persons used by the Processor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in Data Protection and in the care and handling of Personal Data.
17.5. The Processor shall take appropriate technical and organisational measures against unauthorised or Contracting Body concerned andunlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, where loss, destruction or damage and the Authority nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR.
17.6. The Processor shall promptly notify the Controller if it receives a request from a Data Subject (Data Subject Access Request) under any Data Protection Legislation in respect of Personal Data.
17.7. The Processor shall provide information and assistance upon request to enable the Controller to notify Data Security Breaches to the Information Commissioner and / or Other Contracting Body concerned consents to Processing and/or affected individuals and / or to any other regulators to whom the Controller is required to notify any Data Security Breaches.
17.8. Upon termination of this Agreement, at the choice of the Controller, the Processor shall delete securely or return all Personal Data to the Controller and delete all existing copies of the Personal Data unless and to the extent that the Processor is required to retain copies of the Personal Data in accordance with Applicable Laws in which case the Processor shall notify the controller in writing of the Applicable Laws which require the Personal Data to be retained.
17.9. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations and allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR.
17.10. The Processor shall not transfer any Personal Data outside of the European Economic Area, to comply withArea unless the following conditions are fulfilled:
(ia) the Controller or the Processor has provided appropriate safeguards in relation to the transfer;
b) the Data Subject has enforceable rights and effective legal remedies;
c) the Processor complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any the Processor complies with reasonable instructions notified to it in advance by the Authority or Contracting Body concernedController with respect to the processing of the Personal Data.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: General Terms & Conditions, General Terms & Conditions
Data Protection. 22.1 With respect 20.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
20.2 To the Parties' rights and extent that the Lead is acting as a Data Processor (as such term is defined in the DPA) on behalf of the CCG / Council, the Lead shall, in particular, but without limitation:
20.2.1 only process such Personal Data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)CCG / Council under this Agreement;
22.2.2 Process the Personal Data only to the extent, and 20.2.2 put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and having regard to the nature specific requirements in Clause 0 below, the state of technical development and the level of damages that may be suffered by a Data Subject (as such term is defined in the DPA) whose Personal Data which is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 20.2.3 take all reasonable steps to ensure the reliability of any Supplier’s Staff employees who will have access to the such Personal Data;, and ensure that such employees are aware of and trained in the policies and procedures identified in Clauses 0, 0 and 0 below; and
22.2.5 obtain prior Approval from the Authority in order to transfer the 20.2.4 not cause or allow such Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andCCG / Council.
20.3 The Lead shall ensure that Personal Data is safeguarded at all times in accordance with the DPA and other relevant data protection legislation, which shall include without limitation the obligation to:
20.3.1 perform an annual information governance self-assessment;
20.3.2 have an information guardian able to communicate with the Joint Commissioning Board, who will take the lead for information governance and from whom the Joint Commissioning Board shall receive regular reports on information governance matters including details of all data loss and confidentiality breaches;
20.3.3 (where the Authority or Other Contracting Body concerned consents to Processing and/or transferred electronically) only transfer outside the European Economic Area, to comply with:essential data that is
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferrednecessary for direct Service User care; and
and (ii) any reasonable instructions notified encrypted to it by the Authority higher of the international data encryption standards for healthcare and the National Standards (this includes, but is not limited to, data transferred over wireless or Contracting Body concerned.wired networks, held on laptops, CDs, memory sticks and tapes);
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.20.3.4 have policies which are rigorously applied that describe individual personal responsibilities for handling Personal Data;
Appears in 2 contracts
Sources: Joint Commissioning Agreement, Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services
Data Protection. 22.1 With respect 18.1 The Executive shall at all times during the Appointment adhere to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any policy introduced by the Authority Company from time to the Supplier during the Term);
22.2.2 Process the Personal Data only time to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out DPA or equivalent legislation in any other relevant jurisdiction. Breach of this Clause 22 undertaking will constitute a disciplinary offence.
18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the personal data it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose both during and after the Appointment) or divulge any for the conduct of the Personal Data Group’s business or to comply with applicable law, rules and regulations (the “Authorised Purposes”) and the Executive agrees to provide the Group with all personal data relating to his which is necessary or reasonably required for the Authorised Purposes.
18.3 The Executive explicitly consents to the Company or any other Group Company processing his personal data, including his sensitive personal data, where this is necessary or reasonably required to achieve one or more of the Authorised Purposes.
18.4 The Executive acknowledges that the Company may, from time to time collect or disclose his personal data (including his sensitive personal data) from and to third party unless directed in writing to do so parties (including without limitation the Executive’s referees, any management consultants or computer maintenance companies engaged by the Authority;
22.2.8 notify Company, the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Company’s professional advisers, other Group Companies, any suppliers of goods or request relating services to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation Group and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details potential purchasers of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required business carried on by the Authority; and
(d) providing Company and/or the Authority Group). The Executive consents to such collection and disclosure even where this involves the transfer of such data, with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)safeguards, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area where this is necessary or reasonably required to achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders.
18.5 The Company agrees to process any Personal Data supplied personal data made available to it by the Authority or any Other Contracting Body without Executive in accordance with the prior written consent provisions of the Authority or Contracting Body concerned and, where DPA.
18.6 In this clause “data controller” “personal data” “processing” and “sensitive personal data” shall have the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle meaning set out in Schedule section 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedDPA.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Service Agreement (Eros International PLC), Service Agreement (Eros International PLC)
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of Except as would not have a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesBusiness Material Adverse Effect:
(a) a request from a Each Transferred Entity has in relation to its Business complied with the Data Subject to have access to that person's Personal Data; orProtection Laws.
(b) Each Transferred Entity has implemented appropriate technical and organizational measures to ensure a complaint or request relating level of security of Personal Data appropriate to the Authority's obligations under risk, taking into account the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details state of the complaint or request;
(b) complying with a data access request within art, the relevant timescales set out in costs of implementation and the Data Protection Legislation nature, scope, context and in accordance with purposes of processing as well as the Authority's instructions;risk of varying likelihood and severity for the rights and freedoms of natural persons.
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales If required by Data Protection Laws, the Authority; andTransferred Entities have appointed a data protection officer (“DPO”), and complied with the requirements of Data Protection Laws pertaining to the appointment, the position and the tasks of the DPO.
(d) providing Each Transferred Entity has undertaken appropriate due diligence processes prior to the Authority with any information requested by appointment of processors, to ensure that such processors provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that their processing meet the Authority;
22.2.10 The Supplier shall:requirements of Data Protection Laws.
(ae) permit Each Transferred Entity has put in place valid and enforceable written agreements with processors that meet the Authority requirements of Article 28 of GDPR and all other requirements of Data Protection Laws.
(f) Each Transferred Entity as a controller, processes and has processed Personal Data in a lawful, fair and transparent manner, having always a legal basis for processing such Personal Data, and assuring the data protection principles of purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality, as well as data protection by design and by default.
(g) None of the Transferred Entities have received any written notice (including any enforcement notice, de-registration notice or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakingstransfer prohibition notice), to inspect and auditletter, or complaint, or been the Supplier's subject of any written enquiry from a data Processing activities (and/or those of its agentsprotection authority, subsidiaries and Subor any data subject, alleging non-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;the Data Protection Laws.
(bh) provide a written description To the Knowledge of the technical and organisational methods employed by the Supplier for Processing Parent, no Person has gained unauthorized access to or made any unauthorized use of any Personal Data processed by any of the Transferred Entities in the past three (within the timescales required by the Authority); and3) years.
(ci) not cause or permit To the extent that Personal Data has been transferred and/or access to be Processed and/or otherwise transferred Personal Data has been given to recipients outside the European Economic Area any Personal (“International Data supplied Transfers”) and to it by the Authority or any Other Contracting Body without extent that the prior written consent GDPR applies, each Transferred Entity has ensured that such International Data Transfers meet the requirements of Chapter V of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or GDPR including by implementing appropriate agreements and data transfer outside the European Economic Area, to comply with:mechanisms.
(ij) the obligations Each Transferred Entity has provided information to data subjects in particular to employees and users of a Data Controller under the Eighth its website where and as required by Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedLaws.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Stock Purchase Agreement (CARRIER GLOBAL Corp), Stock Purchase Agreement (APi Group Corp)
Data Protection. 22.1 With respect 15.2.1 The Parties acknowledge their respective duties under the Data Protection Legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
15.2.2 The Parties acknowledge that for the Parties' rights and obligations under this Framework Agreementpurposes of the Data Protection Legislation, the Parties agree that the Authority Company is the Data Controller and that the Supplier is the Data ProcessorProcessor (where Data Controller and Data Processor have the meaning as defined in the Data Protection Legislation).
22.2 The 15.2.3 To the extent that the Supplier is acting as a Data Processor on behalf of the Company, the Supplier shall, in relation to any Personal Data or Sensitive Personal Data it processes in connection with the performance of its obligations under this Agreement:
22.2.1 Process the (a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this Agreement, and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any written instruction given by the Authority to the Supplier during the Term)Company under this Agreement;
22.2.2 Process the Personal Data only to the extent, and (b) put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data and/or Sensitive Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and and/or Sensitive Personal Data having regard to the nature specific requirements in this Agreement, the state of technical development and the level of harm that may be suffered by a Data Subject whose Personal Data which and/or Sensitive Personal Data is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 (c) take all reasonable steps to ensure the reliability of any Supplier’s Staff staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data;
(d) ensure that all personnel who have access to the and/or process Personal Data;
22.2.5 obtain prior Approval from the Authority in order Data and/or Sensitive Personal Data are obliged to transfer keep the Personal Data to any Sub-Contractors or Affiliates for the provision of the Servicesand/or Sensitive Personal Data confidential;
22.2.6 ensure (e) provide the Company with such information as the Company may reasonably require to satisfy itself that all the Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply is complying with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection Legislation;
22.2.9 provide (f) immediately notify the Authority with full cooperation and assistance in relation Company of any requests for disclosure of or access to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or requestPersonal Data and/or Sensitive Personal Data from a Data Subject;
(bg) complying with a data access assist the Company, at the Company’s cost, in responding to any request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to from a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full ensuring compliance with its obligations under this Framework Agreementthe Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(bh) provide a written description immediately notify the Company of any breach of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales security measures required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied put in place pursuant to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:this clause 15.2.3
(i) ensure it does not knowingly or negligently do or omit to do anything which places the obligations of a Data Controller under the Eighth Data Protection Principle set out Company in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation;
(j) at the written direction of the Company, delete or return Personal Data and/or Sensitive Personal Data and any copies thereof to the Company on termination of the agreement;
(k) not transfer any Personal Data outside of the European Economic Area; and maintain complete and accurate records and information to demonstrate its compliance with this clause 15.
15.2.4 The Supplier and the Company shall ensure that Personal Data and/or Sensitive Personal Data is safeguarded at all times in accordance with all applicable laws.
Appears in 2 contracts
Sources: Service Agreement, Service Agreement
Data Protection. 22.1 With respect to the Parties' rights 23.1 The AUTHORITY recognises, understands, and obligations under this Framework Agreementagrees that CONTRACTOR is not subject to, the Parties agree that the Authority is the and therefore does not comply with United Kingdom Data Controller and that the Supplier is the Data ProcessorProtection Legislation.
22.2 23.2 The Supplier CONTRACTOR shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority AUTHORITY or as reasonably necessary to perform the Services (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority AUTHORITY to the Supplier CONTRACTOR during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law applicable law or any Regulatory Bodyregulation;
22.2.3 implement appropriate 23.2.3 Implement commercially reasonable technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 23.2.4 obtain prior Approval written consent from the Authority AUTHORITY in order to transfer the Personal Data to any Sub-Contractors or Affiliates for to meet its obligations under this Contract and, where such Personal Data is transferred the provision CONTRACTOR shall:
i. provide only the minimum Personal Data necessary; and
ii. Require the Sub CONTRACTOR to provide an adequate level of the Services;protection to any Personal Data that is transferred.
22.2.6 ensure 23.2.5 Ensure that all Supplier Contractors’ Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Condition;
22.2.7 23.2.6 ensure that none of SupplierCONTRACTOR’s Staff personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAUTHORITY or as necessary to perform the Services;
22.2.8 23.2.7 notify the Authority AUTHORITY reasonably promptly (and within five (5ten Working Days) Working Days if it receives:
(a) i. a request from a Data Subject to have access to that person's Personal Data; or
(b) a ii. A complaint or request relating to the Authority's AUTHORITY’s obligations under the any Data Protection Legislation;
22.2.9 provide 23.2.8 Provide the Authority AUTHORITY with full reasonable cooperation and assistance in relation to any complaint or request made, including by:
(a) i. providing the Authority AUTHORITY with full details of the complaint or request;
(b) ii. complying with a data access request within a reasonable timeframe of the relevant timescales set out request, making commercially reasonable efforts to respond in time to allow the Data Protection Legislation and in accordance with the Authority's instructionsAUTHORITY adequate time to respond to any such complaint or request;
(c) providing iii. Providing the Authority AUTHORITY with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritya reasonable timeframe); and
(d) providing iv. Providing the Authority AUTHORITY with any information reasonably requested by the AuthorityAUTHORITY that relates to the AUTHORITY;
22.2.10 The Supplier shall:
(a) permit 23.2.9 provide the Authority AUTHORITY or the AuthorityAUTHORITY’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect with appropriate assurances, evidences and audit, explanations of the Supplier's CONTRACTOR’s data Processing activities (and/or those of its agents, subsidiaries and and, to the extent CONTRACTOR has the right, any Sub-Contractorscontractors, who process the AUTHORITY’s Personal Data) and comply with all reasonable requests or directions by the Authority AUTHORITY to enable the Authority AUTHORITY to verify and/or procure that the Supplier CONTRACTOR is in full compliance with its obligations under this Framework AgreementContract;
(b) 23.2.10 provide a written description of the technical and organisational methods employed by the Supplier CONTRACTOR for Processing processing Personal Data (within the timescales required a reasonable timeframe from a request by the AuthorityAUTHORITY); and
(c) 23.2.11 not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Process Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned AUTHORITY unless necessary to meet its obligations under this Contract and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic AreaPersonal Data is processed, to comply withto:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing i. provide an adequate level of protection to any Personal Data that is transferredto be processed; and
(ii) . Endeavour to comply, to the extent commercially reasonable, with any reasonable instructions notified to it by the Authority or Contracting Body concernedAUTHORITY.
22.2.11 23.3 The Supplier CONTRACTOR shall comply at all times with indemnify and keep indemnified, the Data Protection Legislation and shall not perform AUTHORITY fully against any financial penalties caused directly by (1) the breach by the CONTRACTOR or its obligations under this Framework Agreement in such a way as to cause the Authority to breach Staff of any of the provisions of this Condition 23 (Data Protection), or (2) any misuse, loss or unauthorised use or disclosure by the CONTRACTOR or its applicable obligations under Staff of any Personal Data relating to any person, except and to the extent that such financial penalties were caused or contributed to by the AUTHORITY. The indemnity provided by this Section 23.3 shall be subject to the limits set forth herein in Section 17.
23.4 Notwithstanding the foregoing, the CONTRACTOR shall be permitted to disclose Personal Data Protection Legislationin connection with soliciting bids from Insurance Carriers as outlined in Part IV – Specification (Services Scope), provided the CONTRACTOR provides only the minimum Personal Data necessary and informs each Insurance Carrier of the confidential nature of the Personal Data.
Appears in 2 contracts
Sources: Security Guarding Services Agreement, Security Guarding Services Agreement
Data Protection. 22.1 With respect 1.1 The Introducer undertakes, without prejudice to the Parties' rights and obligations under other terms of this Framework Agreement, that:
1.1.1 it has at the Parties agree that date of this Agreement and shall at all times maintain, at its own cost, all necessary registrations under the Authority is DPA and/or notifications to the Data Controller Information Commissioner and that the Supplier is Introducer shall at all times comply with the Data Processor.
22.2 The Supplier shall:
22.2.1 Process provisions of the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)DPA;
22.2.2 Process 1.1.2 the Personal Data Introducer shall only to the extentprocess personal data lawfully and after having taken, and in such mannercontinuing to take, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data guard against unauthorised or unlawful Processing processing of personal data and against accidental lossloss or destruction of, destructionor damage to, damagethe personal data. In doing so, alteration or disclosure. These measures the Introducer shall be provide a level of security appropriate to the harm which that might result from any unauthorised or unlawful Processing, processing or accidental loss, destruction or damage to the Personal Data personal data and also the nature of the personal data being protected and having regard to the nature state of technological development and to the Personal Data which is to be protectedcost of implementing such measures;
22.2.4 1.1.3 the Introducer shall promptly give BoS such access and assistance as BoS may reasonably request to confirm compliance by the Introducer with its obligations under this Agreement in relation to the personal data;
1.1.4 the Introducer shall at all times take all reasonable steps to ensure the reliability of any Supplier’s Staff those of its staff who have access to personal data with a view to ensuring compliance with the Personal Data;DPA; and
22.2.5 obtain prior Approval from 1.1.5 the Authority Introducer shall keep accurate and up-to-date records of the personal data.
1.2 The Introducer and BoS agree to use all reasonable endeavours to reach agreement on any change to the processing of personal data under this condition 1 which may be required in order to transfer comply with any enforcement notice served on either of them or in response to proceedings or enquiries from the Personal Data Information Commissioner’s Office in order to any Sub-Contractors avoid an enforcement notice being served or Affiliates for the provision of the Services;to ensure compliance with one.
22.2.6 1.3 The Introducer shall ensure that all Supplier Staff required persons (other than BoS) to whom any personal data relating to any Applicant is disclosed, or who have or may have access to personal data, maintain the Personal Data are informed confidentiality of the confidential nature of the Personal Data that personal data and comply with the obligations set out terms of this condition 1 as if references in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of condition 1 to the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access Introducer included references to that person's Personal Data; or.
(b) a complaint 1.4 The obligations accepted under or request relating pursuant to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is this condition 1 shall remain in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical force and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body effect without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out limit in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedtime.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Client Banking Introducer Agreement, Client Banking Introducer Agreement
Data Protection. 22.1 23.1 With respect to the Partiesparties' rights and obligations under this Framework Agreementagreement, the Parties parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier‟s attention is hereby drawn to the Data Protection Requirements set out in clause 23.2 below. The Authority and the Supplier shall observe their obligations under the Data Protection Requirements.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority (which Authority(which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Development Services or as is required by Law law or any Regulatory Bodythe Information Commissioner;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Supplier Personnel who have access to the Personal Data;
22.2.5 23.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Subsub-Contractors or Affiliates contractors for the provision of the Development Services;
22.2.6 23.2.6 ensure that all Supplier Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 23;
22.2.7 23.2.7 ensure that none of Supplier’s Staff the Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within Authority(within five (5) Working Days or such other period as specified by the Authority (if any)) if it receives:
(a) 23.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.8.2 a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection LegislationRequirements;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.9.1 providing the Authority with full details of the complaint or request;
(b) 23.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's instructions;
(c) 23.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCustomer); and
(d) 23.2.9.4 providing the Authority with any information requested by the AuthorityCustomer;
22.2.10 The Supplier shall:
(a) 23.2.10 permit the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Subsub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework AgreementContract;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Software Development Agreement, Software Development Agreement
Data Protection. 22.1 With respect to 19.1 The Parties acknowledge that for the Parties' rights and obligations under this Framework Agreementpurposes of the Data Protection Legislation, the Parties agree that the Authority Purchaser is the Data Controller and the Supplier is the Processor. The only processing that the Supplier is authorised to do is listed in Schedule 4 by the Purchaser and may not be determined by the Supplier.
19.2 The Supplier shall notify the Purchaser immediately if it considers that any of the Purchaser's instructions infringe the Data ProcessorProtection Legislation.
22.2 19.3 The Supplier shall provide all reasonable assistance to the Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Purchaser, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Care Service;
(c) an assessment of the risks to the rights and freedoms of data subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
19.4 The Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Contract:
22.2.1 Process the (a) process that Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Schedule 4, unless the Supplier during is required to do otherwise by Law. If it is so required the Term);
22.2.2 Process Supplier shall promptly notify the Purchaser before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Purchaser as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that :
(i) the Supplier personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 4);
(ii) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Supplier personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Supplier’s duties under this condition;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Purchaser or as otherwise permitted by this Contract; and
(aD) a request from a Data Subject to have access to that person's undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Purchaser has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Purchaser or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and
(iiiv) the Supplier complies with any reasonable instructions notified to it in advance by the Authority Purchaser with respect to the processing of the Personal Data;
(e) at the written direction of the Purchaser, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Purchaser on termination of this Contract unless the Supplier is required by law to retain the Personal Data.
22.2.11 The 19.5 Subject to condition 19.6, the Supplier shall comply at all times with notify the Purchaser immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory Authority in connection with Personal Data processed under this Contract;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; or
(f) becomes aware of a Data Loss Event.
19.6 The Supplier’s obligation to notify under condition 19.5 shall include the provision of further information to the Purchaser in phases, as details become available.
19.7 Taking into account the nature of the processing, the Supplier shall provide the Purchaser with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under condition 19.5 (and insofar as possible within the timescales reasonably required by the Purchaser) including by promptly providing:
(a) the Purchaser with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by the Purchaser to enable the Purchaser to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Purchaser, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Purchaser following any Data Loss Event;
(e) assistance as requested by the Purchaser with respect to any request from the Information Commissioner’s Office, or any consultation by the Purchaser with the Information Commissioner's Office.
19.8 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this condition. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:
(a) the Purchaser determines that the processing is not occasional;
(b) the Purchaser determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) the Purchaser determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
19.9 The Supplier shall allow for audits of its Data Processing activity by the Purchaser or the Purchaser’s designated auditor.
19.10 The Supplier shall designate a data protection officer if required by the Data Protection Legislation .
19.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Supplier must:
(a) notify the Purchaser in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Purchaser;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this condition 19 such that they apply to the Sub-processor; and
(d) provide the Purchaser with such information regarding the Sub-processor as the Purchaser may reasonably require.
19.12 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor.
19.13 The Purchaser may, at any time on not less than 30 Working Days’ notice, revise this condition by replacing it with any applicable controller to processor standard conditions or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
19.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Purchaser may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 2 contracts
Sources: Contract for Adult Care Services, Contract for Adult Care Services
Data Protection. 22.1 With respect to 23.1 Both Parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 23 is in addition to, and does not relieve, remove or replace, a party’s obligations under this Framework Agreementthe Data Protection Legislation.
23.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. The only processing that the Supplier is authorised to do by the Authority is in accordance with written instructions and may not be determined by the Supplier.
22.2 23.3 The Supplier shall:will notify the Authority immediately if it considers that any of the Authority’s instructions infringe Data Protection legislation.
22.2.1 Process 23.4 Without prejudice to the generality of clause 23.1, the Authority will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during for the Term)duration and purposes of this agreement.
23.5 The Supplier shall provide all reasonable assistance to the Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Contractor, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
22.2.2 Process (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
23.6 Without prejudice to the generality of clause 23.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) process that Personal Data only to on the extent, and in such manner, as it necessary for the provision written instructions of the Services or as Authority, unless the Supplier is required to do otherwise by Law or any Regulatory Bodythe Law. If it is so required, the Supplier shall promptly notify the Authority before processing the Personal Data, unless prohibited by Laws;
22.2.3 implement (b) ensure that it has in place appropriate technical and organisational measures which have been reviewed and approved by the Authority, to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) the state of technological development; and
(iv) the cost of implementing any measures
(c) the Supplier’s Personnel do not process Personal Data except in accordance with this Agreement;
(d) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Personnel who have access to the Personal DataData and ensure that they:
(i) are aware of and comply with the Supplier’s duties under this clause;
22.2.5 obtain prior Approval from (ii) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Sub-Contractors or Affiliates for the provision of the Services;Processor
22.2.6 ensure that all Supplier Staff required to access the Personal Data (iii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required as otherwise permitted by the Authoritythis Agreement; and
(div) providing have undergone adequate training in the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable use, care, protection and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those handling of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority)Data; and
(ce) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area transfer any Personal Data supplied to it by outside of the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Authority or the Supplier has provided appropriate safeguards in relation to the transfer;
(ii) the Data Subject has enforceable rights and effective remedies;
(iii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iiiv) any the Supplier complies with the reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data;
(f) at the written direction of the Authority, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data.
22.2.11 23.7 The Supplier shall comply at all times notify the Authority immediately and within 48 hours of receipt, if it receives:
(a) a request from a Data Subject Access Request (or purported Data Subject Access Request);
(b) a request to rectify, block or erase any Personal Data;
(c) any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner);
(d) a request from any third party for disclosure of Personal Data where compliance with such request as required or purported to be required by Law; or
(e) becomes aware of a Data Loss Event.
23.8 The Supplier shall provide the Authority with full assistance in relation to either Party’s obligations under the Data Protection Legislation and shall not perform its obligations any complaint, communication or request made under this Framework Agreement in clause 23.7:
(a) by promptly providing within 5 working days:
i. the Authority with full details and copies of the complaint, communication or request;
ii. such a way assistance as to cause is reasonably requested by the Authority to breach any of its applicable obligations under enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
iii. the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; or
iv. assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner’s Office.
(b) immediately within 24 hours of the request by the Authority following a Data Loss Event;
23.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 23
23.10 The Supplier shall allow for audits by the Authority or the Authority’s designated auditor pursuant to clause 25;
23.11 Before allowing any Sub-Contractor pursuant to clause 18 to process any Personal Data relating to this agreement, it shall:
(a) notify the Authority in writing of the intended processing by the Sub-Contractor;
(b) obtain prior written consent from the Authority to the processing;
(c) ensure that any Sub-Contract imposes obligations on the Sub-Contractor to give effect to the terms set out in this clause 23.
23.12 The Supplier shall remain fully liable for all the acts or omissions of any sub-contractor.
23.13 Either Party may, at any time on not less than 30 Working Days’ written notice to the other party, revise this clause 23 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
Appears in 2 contracts
Sources: Contract for the Provision of Services, Contract for the Provision of Services
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Both Parties agree that the Authority is will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This Clause 21 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityParty's obligations under the Data Protection Legislation. Without prejudice to the generality of Clause 21.1, Client shall:
21.3.1 ensure that it or (where applicable) the relevant Data Controller has all necessary appropriate consents and notices in place to enable the Processing of the Personal Data by CSI for the duration and purposes of this agreement;
22.2.9 provide 21.3.2 ensure that any Personal Data that it or (where applicable) the Authority relevant Data Controller provides is lawfully disclosed or provided to CSI;
21.3.3 not cause CSI to be in breach of the Data Protection Legislation;
21.3.4 ensure that any instructions provided to CSI regarding the Processing of Personal Data are lawful and shall, at all times, be in accordance with full cooperation Data Protection Legislation;
21.3.5 accept that it has sole responsibility for the technical and assistance organisational measures employed in the Client’s Environments (except where expressly stated as the responsibility of CSI in an Order) and shall maintain any appropriate measures (including any reasonable measures recommended by CSI) in respect of the security of the Personal Data, which may include the pseudonymisation and encryption of the Personal Data; and
21.3.6 ensure that the Personal Data shall not include any Sensitive Personal Data (as defined in the Data Protection Legislation) without first agreeing additional data protection and information security controls with CSI. Without prejudice to the generality of Clause 21.1, CSI shall, in relation to any complaint Personal Data Processed in connection with the performance by CSI of its obligations under this agreement:
21.4.1 Process that Personal Data only on the written instructions of the Client unless CSI is required by Applicable Laws to Process Personal Data. Where CSI is relying on Applicable Laws as the basis for Processing Personal Data, CSI shall promptly notify the Client of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit CSI from so notifying the Client;
21.4.2 ensure that it has in place the technical and organisational measures set out in Schedule 2 to protect against unauthorised or request madeunlawful Processing of Personal Data and against accidental loss or destruction of, including byor damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, ensuring the pseudonymisation, encryption, confidentiality, integrity, availability and resilience of its systems and services, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
21.4.3 ensure that all Personnel, suppliers and sub-contractors who have access to and/or Process the Personal Data are obliged to keep the Personal Data confidential;
21.4.4 not transfer or Process any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) providing the Authority with full details of Client or CSI has provided appropriate safeguards in relation to the complaint or requesttransfer;
(b) complying with a data access request within the relevant timescales Data Subjects have enforceable rights and effective legal remedies as set out in the Data Protection Legislation and in accordance with the Authority's instructionsLegislation;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance CSI complies with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any CSI complies with reasonable instructions notified to it in advance by the Client with respect to the Processing of the Personal Data;
21.4.5 promptly inform Client on, and in any event within five (5) Business Days of, receipt of any communication from a Data Subject, Supervisory Authority or Contracting Body concerned.authorised third party regarding the Processing of Client Data;
22.2.11 The Supplier shall comply at all times with 21.4.6 if a Data Subject exercises any of its rights under the Data Protection Legislation (including rights of access, correction, blocking, suppression or deletion as are available to such individual) CSI shall, at Client’s cost, promptly provide reasonable assistance in the provision of such information related to the CSI’s Processing as Client reasonably requires;
21.4.7 assist Client in responding to any request from a Data Subject and shall not perform in ensuring compliance with its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities and/or regulators and CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such prompt cooperation and assistance as well as any costs and expenses incurred where any assistance provided is outside the scope of the Managed Services and Services;
21.4.8 promptly co-operate with all reasonable requests or directions arising directly from, or in connection with the exercise of its powers by a Supervisory Authority;
21.4.9 notify the Client without undue delay, and in any event within forty eight (48) hours, on becoming aware of a known or suspected Personal Data Breach and/or shall provide Client with all reasonable assistance in providing information for and in the reporting of a Personal Data Breach to the relevant Supervisory Authority;
21.4.10 notify Client if any instructions of the Client shall, to the knowledge of CSI, infringe Data Protection Legislation;
21.4.11 at the written direction of the Client, delete or return the Personal Data and copies thereof to the Client on request, and in any event on expiry or termination of an applicable Order or expiry or termination of this agreement unless required by Applicable Law to store the Personal Data; and
21.4.12 maintain complete and accurate records of Processing and other appropriate information to demonstrate its compliance with this Clause 21;
21.4.13 CSI shall allow for and contribute to audits, including inspections, conducted by the Client, the Client’s customers or another independent auditor proposed by the Client and approved by CSI, for the purpose of demonstrating compliance by CSI and with their obligations under this Clause 21 provided that the Client gives CSI reasonable prior notice of such audit and/or inspection and they are limited to no more than once per annum unless (i) otherwise agreed by CSI or (ii) if CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months and Client wishes to confirm that CSI is now compliant. CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such contribution and assistance as well as any costs and expenses incurred for additional audits over the once per annum except where CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months. The Client consents to CSI appointing any third parties notified to the Client as a third- party processor to Process Personal Data (“Sub-processors”) under this agreement. CSI confirms that it has entered into, or (as the case may be) will use its reasonable endeavours to enter into a written agreement incorporating terms which are substantially similar to and as far as reasonably possible on terms that are no less onerous than those set out in this Clause 21. As between the Client and the CSI, CSI shall remain fully liable for all acts or omissions of any Sub-processors appointed by it pursuant to this Clause 21. CSI shall promptly notify Client in writing of any loss or damage to the Client Data. In the event of any loss or damage to Client Data, Client's sole and exclusive remedy shall be for CSI to use reasonable commercial endeavours to restore the lost or damaged Client Data from the latest backup of such Client Data. CSI shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of Client Data caused by any third party (except those third parties subcontracted by CSI to perform services related to Client Data maintenance and back-up) nor for the security or integrity of any Client Personal Data during its transmission via public telecommunications facilities, the Internet or similar.
21.7.1 the Parties shall execute and shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), in the form set out in Schedule 7 to this agreement; and
21.7.2 the Parties agree that CSI shall be entitled to levy such additional charges costs and expenses in respect of its assistance and cooperation as provided for under Clause 21.4. Each party (the “Indemnifying Party”) shall indemnify the other party (the “Indemnified Party”) against:
21.8.1 all claims, liabilities, costs, expenses, damages and losses (including but not limited to all reasonable professional costs and expenses) (“Losses”) suffered or incurred by the Indemnified Party arising out of or in connection with: a Personal Data Breach, any claim by a third party (including but not limited to a Data Subject) or any failure by the Indemnifying Party to comply with its obligations under this Clause 21; and
21.8.2 all penalties, awards, fines which are imposed upon by a Supervisory Authority, except to the extent that such Losses have arisen out of or in connection with any negligence or wilful default of the Indemnified Party or any breach by the Indemnified Party of its obligations under this Clause 21 (Data Protection).
Appears in 2 contracts
Sources: Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect to 4.2.1 As specified in the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 Controller-Processor Agreement in Schedule 5. The Supplier shall:
22.2.1 Process the Personal 4.2.1.1 process all Customer Data only strictly in accordance with (a) the terms of the Agreement and (b) the Customer’s reasonable instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority time to the Supplier during the Term);time
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement 4.2.1.2 take appropriate technical and organisational measures to protect (a) against the Personal Data against unauthorised or unlawful Processing processing of Customer Data and (b) against the accidental loss, destruction, damage, alteration loss or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction of or damage to Customer Data (including adequate back-up procedures and disaster recovery systems)
4.2.1.3 ensure (a) that only such of its employees and agents as may be required by it to assist it in meeting its obligations under the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who Agreement have access to Customer Data and (b) that all employees and agents used by it to provide the Personal Services have undergone training in the law of data protection and in the care and handling of data such as Customer Data;
22.2.5 obtain prior Approval 4.2.1.4 assist the Customer promptly with all subject access requests which may be received from individuals who are the Authority subject of the Customer Data (“Data Subjects”) (but the Customer shall reimburse the Supplier for any reasonable costs which the Supplier incurs in order complying with this requirement to transfer the Personal extent to which such costs are not covered by the payment of any charges under the Agreement)
4.2.1.5 not use the Customer Data for any purposes which may be inconsistent with those notified to the Data Subject on or before the time of collection provided that the Customer has previously supplied to the Supplier copies of all such notices
4.2.1.6 not disclose the Customer Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any a third party unless directed in writing to do so by the Authorityany circumstances other than;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a at the specific request from a Data Subject to have access to that person's Personal Data; of the Customer or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details such of the complaint or request;
(b) complying Supplier’s contractors subcontractors agents servants consultants and advisers as necessary to enable the Supplier to comply with a data access request within its duties pursuant to this Agreement who have been instructed by the relevant timescales set out in Supplier to treat the Customer Data Protection Legislation and in accordance with the Authority's instructions;as confidential or
(c) providing the Authority with any Personal Data it holds as otherwise specified in relation to a Data Subject (within the timescales required by the Authority; andthis clause 4.2
(d) providing where the Authority with data is in an anonymised form as part of an aggregated set of summary data, not including any information personally identifiable information.
4.2.1.7 promptly carry out any request from the Customer requiring the Supplier to amend transfer or delete all or any part of the Customer Data where such request is managed through the change process and fees quoted to the customer.
4.2.1.8 notify the Customer immediately upon receiving any notice or communication from any supervisory or government body which relates directly or indirectly to the processing of the Customer Data
4.2.1.9 if requested in writing by the Authority;Customer from time to time provide to the Customer a copy of the Customer Data in the format and on the media reasonably specified by the Customer with time and expenses charged to the customer
22.2.10 4.2.1.10 if any Customer Data in the possession or control of the Supplier become lost corrupted or rendered unusable for any reason promptly restore such Customer Data using its back up and/or disaster recovery procedures at no cost to the Customer and
4.2.2 The Supplier shall:acknowledges and agrees that the Customer retains all rights title and interest in the Customer Data including any copyright and database rights
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that 4.2.3 Where the Supplier is required on behalf of the Customer to collect any Customer Data in full respect of any employee of the Customer it shall be collected on the basis of ‘Contract’ as defined in Article 6(1)(b) of GDPR. The Customer shall ensure;
4.2.3.1 that the processing of such Customer Data in the manner envisaged by these terms and conditions remains the most appropriate basis for processing and
4.2.3.2 that such employee shall be provided with a written data protection notice in compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.2018
Appears in 2 contracts
Sources: Terms and Conditions, Terms and Conditions
Data Protection. 22.1 With respect 14.1 The CONTRACTOR’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the CONTRACTOR shall observe their obligations under the Data Protection Requirements.
14.2 Where the CONTRACTOR, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier CONTRACTOR during the Term);
22.2.2 Process 14.2.2 carry out the Processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision supply of the Ordered Goods and Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff CONTRACTOR personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision supply of the Ordered Goods and Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any CONTRACTOR personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the CONTRACTOR personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 14.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) : a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) or a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 14.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) : providing the Authority CUSTOMER with full details of the complaint or request;
(b) ; complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) ; providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) and providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 14.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's CONTRACTOR’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier CONTRACTOR is in full compliance with its obligations under this Framework AgreementContract;
(b) 14.2.11 provide a written description of the technical and organisational methods employed by the Supplier CONTRACTOR for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 14.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) : the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) and any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 14.3 The Supplier CONTRACTOR shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
14.4 The CUSTOMER may from time to time serve on the CONTRACTOR an information notice requiring the CONTRACTOR within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
14.4.1 compliance by the CONTRACTOR with the CONTRACTOR’s obligations under this Contract in connection with the Processing of Personal Data; and/or
14.4.2 the rights of Data Subjects, including but not limited to subject access rights.
14.5 The CONTRACTOR will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
14.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the CONTRACTOR is the Data Processor. Where the CONTRACTOR wishes to appoint, in accordance with the provisions of Clause 26, a Sub-Contractor to assist it in providing the Ordered Goods and Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the CONTRACTOR with the provisions of Clause 26 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the CONTRACTOR a delegated authority to appoint on the CUSTOMER’s behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the CONTRACTOR shall notify the AUTHORITY in writing of such appointment and the identity and location of such Sub-Contractor. The CONTRACTOR warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
14.7 Save as set out in this Clause 14, any unauthorised Processing, use or disclosure of Personal Data by the CONTRACTOR is strictly prohibited.
14.8 The CONTRACTOR shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the CONTRACTOR’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the CONTRACTOR or its employees, servants, agents or Sub- Contractors.
Appears in 2 contracts
Data Protection. 22.1 With respect 20.1 The Parties acknowledge their respective duties under the DPA and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties.
20.2 To the Parties' rights and extent that the Lead Commissioner is acting as a Data Processor (as such term is defined in the DPA) on behalf of the other Party, the Lead Commissioner shall, in particular, but without limitation:
20.2.1 only process such Personal Data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified any instruction given by the Authority to the Supplier during the Term)other Party under this Agreement;
22.2.2 Process the Personal Data only to the extent, and 20.2.2 put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing of such Personal Data, and against the accidental loss, loss or destruction of or damage to the such Personal Data and having regard to the nature specific requirements in Clause 20.2.3 below, the state of technical development and the level of damages that may be suffered by a Data Subject (as such term is defined in the DPA) whose Personal Data which is to be protectedaffected by such unauthorised or unlawful processing or by its loss, damage or destruction;
22.2.4 20.2.3 take all reasonable steps to ensure the reliability of any Supplier’s Staff employees who will have access to the such Personal Data;, and ensure that such employees are aware of and trained in the policies and procedures identified in Clauses 20.3.3 - 20.3.5 below; and
22.2.5 obtain prior Approval from the Authority in order to transfer the 20.2.4 not cause or allow such Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andother Party.
20.3 The Lead Commissioner shall ensure that Personal Data is safeguarded at all times in accordance with the DPA and other relevant data protection legislation, where which shall include without limitation the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withobligation to:
20.3.1 Will comply with statutory requirements regarding information governance self-assessments;
20.3.2 have an information guardian able to communicate with the Joint Commissioning Board, who will take the lead for information governance and from whom the Joint Commissioning Board shall receive regular reports on information governance matters including details of all data loss and confidentiality breaches;
20.3.3 (where transferred electronically) only transfer essential data that is (i) necessary for direct Service User care; and (ii) encrypted to the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 higher of the Data Protection Act 1998 by providing an adequate level of protection to any international data encryption standards for healthcare and the National Standards (this includes, but is not limited to, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes);
20.3.4 have policies which are rigorously applied that describe individual personal responsibilities for handling Personal Data;
20.3.5 have agreed protocols for sharing Personal Data that is transferredwith other NHS organisations and non-NHS organisations; and
(ii) 20.3.6 have a system in place and a policy for the recording of any reasonable instructions notified telephone calls, where appropriate, in relation to it by the Authority or Contracting Body concernedServices, including the retention and disposal of such recordings.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services, Agreement Under Section 75 of the National Health Service Act 2006 for the Joint Commissioning of Health & Social Care Services
Data Protection. 22.1 24.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data ProcessorProcessor in relation to the Authority Personal Data. The Supplier shall (and shall procure that Supplier Staff and Temporary Workers) comply with any notification requirements under the DPA and both Parties shall duly observe all their obligations under the DPA which arise in connection with this Framework Agreement.
22.2 The 24.2 Notwithstanding the general obligation in Clause 24.1 (Data Protection), where the Supplier is Processing Authority Personal Data for the Authority the Supplier shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the Authority Personal Data (and to guard against unauthorised or unlawful Processing of the Authority Personal Data and against accidental loss or destruction of, or damage to, the Authority Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA and shall:
22.2.1 24.2.1 Process the Authority Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by Authority;
24.2.2 provide the Authority with such information as the Authority may reasonably request to satisfy itself that the Supplier during is complying with its obligations under the Term)DPA;
22.2.2 Process 24.2.3 promptly notify the Personal Data only to the extent, and in such manner, as it necessary for the provision Authority of any breach of the Services or as is required by Law or any Regulatory Bodysecurity measures to be put in place pursuant to this Clause;
22.2.3 implement appropriate technical and organisational measures 24.2.4 ensure that it does not knowingly or negligently do or omit to protect do anything which places the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to Authority in breach of its obligations under the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;DPA; and
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 24.2.5 obtain prior Approval written consent from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates for the provision Contractors.
24.3 The provisions of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none 24.3 shall apply during the Term and indefinitely after the termination or expiry of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement.
24.4 The Supplier shall comply at all times with the Information Security Requirements in respect of all Authority Data;
(b) provide a written description of the technical and organisational methods employed by the 24.5 The Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) shall not cause or permit to be Processed and/or Processed, stored, accessed or otherwise transferred outside the European Economic Area any Authority Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Approval and, where the Authority or Other Contracting Body concerned consents to Processing and/or such Processing, storing, accessing or transfer outside the European Economic Area, to shall comply with:
(i) 24.5.1 comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 DPA by providing an adequate level of protection to any Authority Personal Data that is so Processed, stored, accessed or transferred; and;
(ii) 24.5.2 comply with any reasonable instructions notified to it by the Authority or Contracting Body concernedAuthority; and
24.5.3 enter into the EU Model Clauses if requested by the Authority.
22.2.11 24.6 The Supplier shall comply at indemnify and keep indemnified the Authority from and against any and all times with liabilities, losses, demands, damages, costs, claims, expenses (including without limitation legal expenses), fines, penalties and interest which the Data Protection Legislation Authority may incur (directly or indirectly), including without limitation in relation to any third party claim and shall not perform the Authority's expenses in defending and/or settling such third party claim, arising from any breach by the Supplier of any of its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Clause 24 (Data Protection LegislationProtection).
Appears in 2 contracts
Sources: Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect 8.1 You shall own all right, title and interest in and to all of the Customer Data and are exclusively responsible for the legality, reliability, integrity, accuracy and quality of the Customer Data.
8.2 The Parties acknowledge that, for the purposes of Data Protection Laws, you are the Controller and we are the Processor of any Personal Data. The scope, nature and purpose of Processing is as set out in the Data Sharing Summary.
8.3 Each Party confirms that it holds, and during the term of this Agreement, will maintain, all registrations and notifications required in terms of the Data Protection Laws which are appropriate to the Parties' rights and performance of its obligations under this Framework Clause 8.
8.4 Each Party confirms that, in the performance of this Agreement, the Parties agree that the Authority is it will comply with the Data Controller and that the Supplier is the Data ProcessorProtection Laws.
22.2 The Supplier shall8.5 We will:
22.2.1 8.5.1 process Personal Data only on documented instructions from you, unless required to do so by Data Protection Laws or any other applicable law to which we are subject; in such a case, we shall inform the you of that legal requirement before Processing, unless that law prohibits us from informing you;
8.5.2 ensure that persons authorised to Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions have committed themselves to confidentiality or instructions are under an appropriate statutory obligation of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)confidentiality;
22.2.2 Process the Personal Data only 8.5.3 take all measures required pursuant to the extent, and in such manner, as it necessary for the provision Article 32 of the Services or as is required by Law or any Regulatory BodyGDPR in respect of security of Processing;
22.2.3 implement 8.5.4 taking into account the nature of the Processing, assist you by putting in place appropriate technical and organisational measures measures, insofar as this is possible, for the fulfilment of your obligation to protect respond to requests for exercising the Data Subject's rights laid down in Data Protection Laws, to the extent that such requests relate to this Agreement and our obligations under it;
8.5.5 assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to us;
8.5.6 at your option, delete (to the extent practicable) or return all the Personal Data against unauthorised to you after termination of this Agreement or unlawful Processing otherwise on your request, and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate delete existing copies (to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to extent practicable) unless applicable law requires the Personal Data and having regard to the nature ongoing storage of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain 8.5.7 make available to you all information necessary to demonstrate compliance with this Clause 8.5 and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by the you; and
8.5.8 inform you immediately if, in our opinion, an instruction from you infringes (or, if acted upon, might cause the infringement of) Data Protection Laws. Subject to Clause 10.2 we shall not have any Liability in respect of any instruction from you that breaches (or causes a breach of) Data Protection Laws to the extent that we could not reasonably have been aware, or could not reasonably be expected to have been aware, that such instruction would breach (or cause a breach of) Data Protection Laws.
8.6 In the event that we engage any new subcontractor for the purposes of Processing during the term of this Agreement, we will inform you at least 30 days in advance of the engagement commencing, together with relevant information relating to that subcontractor and its operations. You may object to that engagement by contacting us, and, as your sole and exclusive remedy for such engagement, terminate this Agreement in accordance with Clause 12.5.
8.7 Each Party will notify the other Party as soon as is reasonably practicable if it becomes aware of a Personal Data Breach relating to either Party’s obligations under this Agreement.
8.8 You shall undertake appropriate data protection impact assessments to ensure that Processing of Personal Data complies with Data Protection Laws. We will provide you with reasonable assistance, where necessary and upon your request, in carrying out any data protection impact assessment and undertaking any necessary prior Approval from consultation of the Authority Supervisory Authority.
8.9 It is your responsibility to ensure that Personal Data is dealt with in a way that is compliant with Article 5(1) of the GDPR.
8.10 It is your responsibility to ensure that:
8.10.1 you are able to justify the Processing of Personal Data in accordance with Article 6(1) of the GDPR (including where applicable, informing Data Subjects of the Providers whom their Personal Data will be shared with and obtaining any and all consents of Data Subjects required in order to transfer commence the Personal Data to any Sub-Contractors Processing), and that you have recorded or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in documented this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsrecord keeping requirements of the GDPR;
(c) providing the Authority with any 8.10.2 where Personal Data it holds in relation to a Data Subject (falls within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings)Special Categories of Personal Data, to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.Article 9
Appears in 2 contracts
Sources: Terms and Conditions, Terms and Conditions
Data Protection. 22.1 With respect 9.1 The Parties agree that in relation to:
9.1.1 Personal Data processed by the Pharmacy Contractor by providing Services under this Agreement, the Pharmacy Contractor shall be the sole Data Controller; and
9.1.2 Personal Data, the processing of which is required by the Commissioner for the purposes of quality assurance, performance management and contract management the Commissioner and the Pharmacy Contractor will be Data Controllers in common together (the “Agreed Purpose”),
9.2 Schedule 1 sets out the categories of Data Subjects, types of Personal Data, Processing operations (including scope, nature and purpose of Processing) and the duration of Processing.
9.3 Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the Parties' rights and course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
9.4 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, give grounds to the Data Processorother Party to terminate this agreement with immediate effect.
22.2 The Supplier 9.5 In relation to the processing of any Personal Data, each Party shall:
22.2.1 Process 9.5.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
9.5.2 give full information to any Data Subject whose Personal Data may be processed under this agreement of the nature of such processing;
9.5.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 9.5.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
9.5.5 ensure that all Permitted Recipients are reliable and have had sufficient/adequate training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory Bodyresident Personal Data;
22.2.3 implement 9.5.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
9.5.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
9.5.8 not transfer any personal data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer
9.5.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
22.2.9 provide 9.6 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 2 contracts
Sources: Agreement for the Supply of Disposal of Clinical Sharps Service, Agreement for the Supply of Disposal of Clinical Sharps Service
Data Protection. 22.1 With respect to 28.1 The Contractor shall be registered under the Parties' rights DPA and both parties will duly observe all of their obligations under this Framework the DPA, which arise in connection with the Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 28.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions Contractor shall not disclose or allow access to data arising from the Authority (which may be specific instructions or instructions of a general nature as set out Contractor’s participation in this Framework Agreement or as otherwise notified by the Authority Contract to any person not requiring the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and data in such manner, as it necessary for the provision of the Services Services.
28.3 Any disclosure of or access to Personal Data which is comprised in the Authority’s Data, provided by the Authority, shall be made in confidence and shall extend only so far as that which is required specifically necessary for the purpose of the performance of any Contract awarded under the Agreement.
28.4 The parties shall at all times comply with the DPA and all subordinate and related legislation as enacted from time to time. The Authority shall be a Data Controller of the Personal Data, which is comprised in the Authority’s Data, provided by Law or any Regulatory Body;the Authority, collected and held by the Contractor in performing the Services, and such Personal Data, provided by the Authority, shall form part of the Authority’s Data.
22.2.3 implement 28.5 Notwithstanding the general obligation in clause 28.1, where the Contractor is processing Personal Data which is comprised in the Authority’s Data, provided by the Authority, as a processor for the Authority (as defined by the DPA), and the Contractor shall ensure that it has in place appropriate technical and organisational measures to protect ensure the security of the Personal Data comprised in the Authority’s Data (and to guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature processing of the Personal Data which comprised in the Authority’s Data and against accidental loss or destruction of, or damage to, Personal Data comprised in the Authority’s Data), as required under the seventh Data Protection Principle in Schedule 1 to the DPA; and
28.5.1 provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Contractor is complying with its obligations;
28.5.2 promptly notify the Authority of any breach of the security measures required to be protected;put in place pursuant to clause 28.5 which affects the Personal Data comprised in the Authority’s Data which has been provided by the Authority to the Contractor; and
22.2.4 take 28.5.3 ensure that it does not knowingly or negligently place the Authority in breach of the Authority’s obligations under DPA in respect of the Personal Data comprised in the Authority’s Data which has been provided by the Authority to the Contractor.
28.6 The Contractor shall at all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to times:
28.6.1 only use the Personal Data;
22.2.5 obtain prior Approval from , comprised in the Authority Authority’s Data provided by the Authority, which it holds in order to transfer the Personal Data to any Sub-Contractors or Affiliates for connection with the provision of the Servicesservices in accordance with the written instructions of the Authority and in accordance with the terms and conditions of this Agreement and any subsequent Contract and shall not use it for any other purpose;
22.2.6 ensure that all Supplier Staff required to access the 28.6.2 not disclose Personal Data are informed of comprised in the confidential nature of Authority’s Data, provided by the Personal Data Authority, to any third parties other than (i) to the extent required by a court order, or (ii) employees and comply with sub- contractors to whom such disclosure is reasonably necessary in order for the obligations set Contractor to carry out the services provided that such disclosure is made subject to written terms substantially the same as the terms contained in this Clause 22 (Data Protection);
22.2.7 ensure and provided that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed such disclosure has been approved in writing to do so advance by the Authority;
22.2.8 notify the Authority within five (5) Working Days if 28.6.3 procure that it receives:
(a) a request from a shall only undertake processing of Personal Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to comprised in the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made’s Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required provided by the Authority; and
(d) providing the Authority , reasonably required and/or necessary in connection with this Agreement and any information requested subsequent Contract and shall not transfer any Personal Data, provided by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests any country or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer territory outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it 28.6.4 promptly provide the Authority with all necessary Personal Data comprised in the Authority’s Data, provided by the Authority, which is in the possession of or under the control of the Contractor including in a situation where the Authority or Contracting Body concernedis served with a subject access request under the DPA and the Authority informs the Contractor in writing that this is the case.
22.2.11 The Supplier 28.7 In addition to the obligation at Clause 28.6 if the Contractor should at any time receive a request for information (a subject access request) from any person for whom it holds Personal Data comprised in the Authority’s Data, provided by the Authority, as a result of the provision of the Service, it shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause immediately inform the Authority of such request and the Parties shall take all actions necessary in order to breach ensure that the requirements of the DPA with regard to such request are fulfilled including complying with applicable time limits.
28.8 The Contractor shall ensure that any of its applicable obligations sub-contractor complies with this Condition 28.
28.9 This section has been redacted as it is exempt under the Data Protection Legislation.Freedom of Information Act Section 43
Appears in 2 contracts
Sources: Framework Agreement, Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Both Parties agree that the Authority is will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This Clause 21 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityParty's obligations under the Data Protection Legislation. Without prejudice to the generality of Clause 21.1, Client shall:
21.3.1 ensure that it or (where applicable) the relevant Data Controller has all necessary appropriate consents and notices in place to enable the Processing of the Personal Data by CSI for the duration and purposes of this agreement;
22.2.9 provide 21.3.2 ensure that any Personal Data that it or (where applicable) the Authority relevant Data Controller provides is lawfully disclosed or provided to CSI;
21.3.3 not cause CSI to be in breach of the Data Protection Legislation;
21.3.4 ensure that any instructions provided to CSI regarding the Processing of Personal Data are lawful and shall, at all times, be in accordance with full cooperation Data Protection Legislation;
21.3.5 accept that it has sole responsibility for the technical and assistance organisational measures employed in the Client’s Environments (except where expressly stated as the responsibility of CSI in an Order) and shall maintain any appropriate measures (including any reasonable measures recommended by CSI) in respect of the security of the Personal Data, which may include the pseudonymisation and encryption of the Personal Data; and
21.3.6 ensure that the Personal Data shall not include any Sensitive Personal Data (as defined in the Data Protection Legislation) without first agreeing additional data protection and information security controls with CSI. Without prejudice to the generality of Clause 21.1, CSI shall, in relation to any complaint Personal Data Processed in connection with the performance by CSI of its obligations under this agreement:
21.4.1 Process that Personal Data only on the written instructions of the Client unless CSI is required by Applicable Laws to Process Personal Data. Where CSI is relying on Applicable Laws as the basis for Processing Personal Data, CSI shall promptly notify the Client of this before performing the Processing required by the Applicable Laws unless those Applicable Laws prohibit CSI from so notifying the Client;
21.4.2 ensure that it has in place the technical and organisational measures set out in Schedule 2 to protect against unauthorised or request madeunlawful Processing of Personal Data and against accidental loss or destruction of, including byor damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, ensuring the pseudonymisation, encryption, confidentiality, integrity, availability and resilience of its systems and services, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
21.4.3 ensure that all Personnel, suppliers and sub-contractors who have access to and/or Process the Personal Data are obliged to keep the Personal Data confidential;
21.4.4 not transfer or Process any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) providing the Authority with full details of Client or CSI has provided appropriate safeguards in relation to the complaint or requesttransfer;
(b) complying with a data access request within the relevant timescales Data Subjects have enforceable rights and effective legal remedies as set out in the Data Protection Legislation and in accordance with the Authority's instructionsLegislation;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance CSI complies with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any CSI complies with reasonable instructions notified to it in advance by the Client with respect to the Processing of the Personal Data;
21.4.5 promptly inform Client on, and in any event within five (5) Business Days of, receipt of any communication from a Data Subject, Supervisory Authority or Contracting Body concerned.authorised third party regarding the Processing of Client Data;
22.2.11 The Supplier shall comply at all times with 21.4.6 if a Data Subject exercises any of its rights under the Data Protection Legislation (including rights of access, correction, blocking, suppression or deletion as are available to such individual) CSI shall, at Client’s cost, promptly provide reasonable assistance in the provision of such information related to the CSI’s Processing as Client reasonably requires;
21.4.7 assist Client in responding to any request from a Data Subject and shall not perform in ensuring compliance with its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities and/or regulators and CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such prompt cooperation and assistance as well as any costs and expenses incurred where any assistance provided is outside the scope of the Managed Services and Services;
21.4.8 promptly co-operate with all reasonable requests or directions arising directly from, or in connection with the exercise of its powers by a Supervisory Authority;
21.4.9 notify the Client without undue delay, and in any event within forty eight (48) hours, on becoming aware of a known or suspected Personal Data Breach and/or shall provide Client with all reasonable assistance in providing information for and in the reporting of a Personal Data Breach to the relevant Supervisory Authority;
21.4.10 notify Client if any instructions of the Client shall, to the knowledge of CSI, infringe Data Protection Legislation;
21.4.11 at the written direction of the Client, delete or return the Personal Data and copies thereof to the Client on request, and in any event on expiry or termination of an applicable Order or expiry or termination of this agreement unless required by Applicable Law to store the Personal Data; and
21.4.12 maintain complete and accurate records of Processing and other appropriate information to demonstrate its compliance with this Clause 21;
21.4.13 CSI shall allow for and contribute to audits, including inspections, conducted by the Client, the Client’s customers or another independent auditor proposed by the Client and approved by CSI, for the purpose of demonstrating compliance by CSI and with their obligations under this Clause 21 provided that the Client gives CSI reasonable prior notice of such audit and/or inspection and they are limited to no more than once per annum unless (i) otherwise agreed by CSI or (ii) if CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months and Client wishes to confirm that CSI is now compliant. CSI shall be entitled to levy an additional charge on the Client for its reasonable time and effort utilised in providing such contribution and assistance as well as any costs and expenses incurred for additional audits over the once per annum except where CSI has been found to be in breach of this Clause 21 within the previous twelve (12) months. The Client consents to CSI appointing any third parties notified to the Client as a third- party processor to Process Personal Data (“Sub-processors”) under this agreement. CSI confirms that it has entered into, or (as the case may be) will use its reasonable endeavours to enter into a written agreement incorporating terms which are substantially similar to and as far as reasonably possible on terms that are no less onerous than those set out in this Clause 21. As between the Client and the CSI, CSI shall remain fully liable for all acts or omissions of any Sub-processors appointed by it pursuant to this Clause 21. CSI shall promptly notify Client in writing of any loss or damage to the Client Data. In the event of any loss or damage to Client Data, Client's sole and exclusive remedy shall be for CSI to use reasonable commercial endeavours to restore the lost or damaged Client Data from the latest backup of such Client Data. CSI shall not be responsible for any loss, destruction, alteration or unauthorised disclosure of Client Data caused by any third party (except those third parties subcontracted by CSI to perform services related to Client Data maintenance and back-up) nor for the security or integrity of any Client Personal Data during its transmission via public telecommunications facilities, the Internet or similar.
21.7.1 the Parties shall execute and shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), in the form set out in Schedule 7 to this agreement; and
21.7.2 the Parties agree that CSI shall be entitled to levy such additional charges costs and expenses in respect of its assistance and cooperation as provided for under Clause 21.7. The Client acknowledges and agrees that CSI has appointed or may appoint Sub- processors outside of the UK and the European Economic Area and (i) the Client consents to CSI subcontracting its processing operations performed on behalf of the Client to such Sub-processors; (ii) the Parties shall comply with the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to- processor transfers) (the “SCCs”), in the form set out in Schedule 7; and (iii) the Client acknowledges and agrees that CSI shall enter into the SCCs with any such appointed Sub-processors. Each party (the “Indemnifying Party”) shall indemnify the other party (the “Indemnified Party”) against:
21.9.1 all claims, liabilities, costs, expenses, damages and losses (including but not limited to all reasonable professional costs and expenses) (“Losses”) suffered or incurred by the Indemnified Party arising out of or in connection with: a Personal Data Breach, any claim by a third party (including but not limited to a Data Subject) or any failure by the Indemnifying Party to comply with its obligations under this Clause 21; and
21.9.2 all penalties, awards, fines which are imposed upon by a Supervisory Authority, except to the extent that such Losses have arisen out of or in connection with any negligence or wilful default of the Indemnified Party or any breach by the Indemnified Party of its obligations under this Clause 21 (Data Protection).
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect to 19.1 Where any Personal Data are Processed in connection with the exercise of the Parties' ’ rights and obligations under this Framework Agreement, the Parties agree acknowledge that for the Authority purposes of the Data Protection Legislation, the Council is the Data Controller and that the Supplier Landlord is the Data Processor. The only Processing that the Landlord is authorised to do is what has been instructed by the Council and may not be determined by the Landlord.
22.2 19.2 The Supplier Data Processor shall notify the Data Controller immediately if it considers that any of the Data Controller's instructions infringe the Data Protection Legislation.
19.3 The Landlord shall provide reasonable assistance to the Council in the preparation of any Data Protection Impact Assessment.
19.4 The Landlord shall:
22.2.1 19.4.1 Process the Personal Data only in accordance with instructions from the Authority Council to perform its obligations under this Agreement;
19.4.2 ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data (which may be specific instructions or instructions and provide the Council with details of a general nature as set out in this Framework Agreement or as otherwise notified such measures, if so requested by the Authority to the Supplier during the TermCouncil on reasonable notice in writing);
22.2.2 Process 19.4.3 not disclose or transfer the Personal Data only to the extent, and in such manner, as it any third party or Landlord Staff unless necessary for the provision of the Services and, for any disclosure or as transfer of Personal Data to any third party, obtain the prior written approval (save where such disclosure or transfer is required by Law or any Regulatory Bodyspecifically authorised under this Agreement);
22.2.3 19.4.4 in accordance with Article 32 of the GDPR, implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised accidental or unlawful Processing and against accidental destruction, loss, destructionalteration, damageunauthorised disclosure of, alteration or disclosure. These measures shall be access to Personal Data transmitted, stored or otherwise processed;
19.4.5 ensure a level of security appropriate to the risk is applied taking into account the harm which might result from any unauthorised accidental or unlawful Processingdestruction, accidental loss, destruction alteration, unauthorised disclosure of, or damage access to the Personal Data and having regard to the nature of the Personal Data which is to transmitted, stored or otherwise processed. The security measures shall include, but shall not be protectedlimited to;
22.2.4 take all reasonable steps to ensure a) the reliability pseudonymisation and encryption of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from b) the Authority in order ability to transfer ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
c) the ability to restore the availability and access to the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out timely manner in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations event of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority physical or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.technical incident;
Appears in 1 contract
Sources: Accreditation of Landlords and Supply of Emergency Temporary Accommodation Agreement
Data Protection. 22.1 15.1 With respect to the Parties' parties’ rights and obligations under this Framework AgreementContract, the Parties agree that parties acknowledge that, except where otherwise agreed, the Authority Customer is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall15.2 Where the Supplier, pursuant to its obligations under this Contract, undertakes the Processing of Personal Data on behalf of the Customer, it shall comply with the Data Protection Legislation and more particularly:
22.2.1 15.2.1 Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority Customer to the Supplier during the TermContractor);
22.2.2 15.2.2 safeguard Personal Data which will include only transferring Personal Data if essential and encrypting Personal Data where required in accordance with any international data encryption standards and the standards applicable to the Customer;
15.2.3 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory BodyAuthority;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Supplier Personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority Customer in order to transfer the Personal Data to any Sub-Contractors or Affiliates third parties for the provision of the Services;
22.2.6 15.2.6 ensure that all Supplier Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer;
22.2.8 15.2.8 ensure that Customer Personal Data is kept separate from Supplier Personal Data and from any Personal Data belonging to another customer of Supplier;
15.2.9 notify the Authority Customer within five (5) Working Days seven days if it receives:
: (a) a request from a Data Subject to have access to that person's Personal Data; or
or (b) a complaint or request relating to the AuthorityCustomer's obligations under the Data Protection Legislation;
22.2.9 15.2.10 provide the Authority Customer with full cooperation and assistance in relation to any complaint or request made, including by:
: (a) providing the Authority Customer with full details of the complaint or request;
; (b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityCustomer's instructions;
; (c) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCustomer); and
and (d) providing the Authority Customer with any information requested by the AuthorityCustomer;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing 15.2.11 not Process Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Customer and, where the Authority or Other Contracting Body concerned Customer consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
: (ia) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredtransferred (for example, by ensuring that any third party based in the USA and processing Personal Data holds and maintains Safe Harbor certification as long as it processes such Personal Data); and
and (iib) any reasonable instructions notified to it by the Authority or Contracting Body concernedCustomer.
22.2.11 The 15.3 Where any Personal Data is Processed by any sub-contractor of the Supplier, the Supplier shall procure that such sub-contractor shall comply at all times with the Data Protection Legislation and shall not perform its relevant obligations under set out in this Framework Agreement in Clause 15 as if such a way as to cause sub-contractor were the Authority to breach any of its applicable obligations under the Data Protection LegislationSupplier.
Appears in 1 contract
Sources: Public Health Substance Misuse Treatment Service Agreement
Data Protection. 22.1 With respect 19.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Purchaser is the Controller and the Provider is the Processor. The only processing that the Provider is authorised to do is listed in Schedule 4 by the Purchaser and may not be determined by the Provider.
19.2 The Provider shall notify the Purchaser immediately if it considers that any of the Purchaser's instructions infringe the Data Protection Legislation.
19.3 The Provider shall provide all reasonable assistance to the Parties' Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Purchaser, include:
(a) A systematic description of the envisaged processing operations and the purpose of the processing;
(b) An assessment of the necessity and proportionality of the processing operations in relation to the Care Service;
(c) An assessment of the risks to the rights and freedoms of data subjects; and
(d) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
19.4 The Provider shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallContract:
22.2.1 (a) Process the that Personal Data only in accordance with instructions from Schedule 4, unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Provider is required to do otherwise notified by Law. If it is so required the Authority to Provider shall promptly notify the Supplier during the Term);
22.2.2 Process Purchaser before processing the Personal Data only unless prohibited by Law;
(b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Purchaser as appropriate to the extent, and in such manner, as it necessary for the provision protect against a Data Loss Event having taken account of the:
(i) Nature of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is data to be protected;
22.2.4 take (ii) Harm that might result from a Data Loss Event;
(iii) State of technological development; and
(iv) Cost of implementing any measures;
(c) Ensure that:
(i) The Provider personnel do not process Personal Data except in accordance with this Contract (and in particular Schedule 4);
(ii) It takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Provider personnel who have access to the Personal DataData and ensure that they:
(A) Are aware of and comply with the Provider’s duties under this condition;
22.2.5 obtain prior Approval from (B) Are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Provider or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are (C) Are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Purchaser or as otherwise permitted by this Contract; and
(aD) a request from a Data Subject to have access to that person's Have undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description Not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Purchaser has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) The Purchaser or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser;
(ii) The Data Subject has enforceable rights and effective legal remedies;
(iii) The Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and
(iiiv) The Provider complies with any reasonable instructions notified to it in advance by the Authority Purchaser with respect to the processing of the Personal Data;
(e) At the written direction of the Purchaser, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Purchaser on termination of this Contract unless the Provider is required by law to retain the Personal Data.
22.2.11 The Supplier 19.5 Subject to condition 19.6, the Provider shall comply at all times with notify the Purchaser immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory Authority in connection with Personal Data processed under this Contract;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; or
(f) becomes aware of a Data Loss Event.
19.6 The Provider’s obligation to notify under condition 19.5 shall include the provision of further information to the Purchaser in phases, as details become available.
19.7 Taking into account the nature of the processing, the Provider shall provide the Purchaser with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under condition 19.5 (and insofar as possible within the timescales reasonably required by the Purchaser) including by promptly providing:
(a) The Purchaser with full details and copies of the complaint, communication or request;
(b) Such assistance as is reasonably requested by the Purchaser to enable the Purchaser to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) The Purchaser, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) Assistance as requested by the Purchaser following any Data Loss Event;
(e) Assistance as requested by the Purchaser with respect to any request from the Information Commissioner’s Office, or any consultation by the Purchaser with the Information Commissioner's Office.
19.8 The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this condition. This requirement does not apply where the Provider employs fewer than 250 staff, unless:
(a) The Purchaser determines that the processing is not occasional;
(b) The Purchaser determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) The Purchaser determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
19.9 The Provider shall allow for audits of its Data Processing activity by the Purchaser or the Purchaser’s designated auditor.
19.10 The Provider shall designate a data protection officer if required by the Data Protection Legislation.
19.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Provider must:
(a) Notify the Purchaser in writing of the intended Sub-processor and processing;
(b) Obtain the written consent of the Purchaser;
(c) Enter into a written agreement with the Sub-processor which give effect to the terms set out in this condition 19 such that they apply to the Sub-processor; and
(d) Provide the Purchaser with such information regarding the Sub-processor as the Purchaser may reasonably require.
19.12 The Provider shall remain fully liable for all acts or omissions of any Sub-processor.
19.13 The Purchaser may, at any time on not less than 30 Working Days’ notice, revise this condition by replacing it with any applicable controller to processor standard conditions or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
19.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Purchaser may on not less than 30 Working Days’ notice to the Provider amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Data Protection. 22.1 With respect to 14.1 For the Parties' rights and obligations under purposes of this Framework AgreementClause 14, the Parties agree terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the Data Protection Legislation.
14.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 14 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Data Protection Legislation.
14.3 The parties acknowledge that for the Authority purposes of the Data Protection Legislation, the Customer is the Data Controller data controller and that the Supplier is the Data Processordata processor.
22.2 The Supplier shall:
22.2.1 Process 14.4 Without prejudice to Clause 14.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data only (as defined in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Data Protection Legislation) to the Supplier during for the Term);duration and purposes of the agreement.
22.2.2 Process 14.5 Without prejudice to Clause 14.2, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the agreement:
14.5.1 process that Personal Data only to on the extent, and in such manner, as it necessary for the provision written instructions of the Services or as Customer unless the Supplier is required by Domestic Law or any Regulatory Bodyto process Personal Data (Purpose). Where the Supplier is relying on Domestic Law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Domestic Law unless those Domestic Laws prohibit the Supplier from so notifying the Customer;
22.2.3 implement 14.5.2 ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
14.5.3 notify the Customer without undue delay on becoming aware of a personal data breach involving the Personal Data;
14.5.4 ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the Customer, to protect the Personal Data against unauthorised or unlawful Processing processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagePersonal Data, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any the unauthorised or unlawful Processing, processing or accidental loss, destruction or damage and the nature of the data to the Personal Data and be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
14.5.5 assist the Customer insofar as this is possible (taking into account the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure processing and the reliability of any Supplier’s Staff who have access information available to the Personal Data;
22.2.5 obtain prior Approval from Supplier), and at the Authority Customer's cost and written request, in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation subject and in accordance with ensuring the AuthorityCustomer's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework AgreementData Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(b) provide a 14.5.6 at the written description direction of the technical Customer, delete or return Customer Personal Data and organisational methods employed copies thereof to the Customer on termination of the agreement unless the Supplier is required by Domestic Law to continue to process that Customer Personal Data. For the purposes of this Clause 14.5.6, Customer Personal Data shall be considered deleted where it is put beyond further use by the Supplier; and
14.5.7 maintain records to demonstrate its compliance with this Clause 14.
14.6 The Customer provides its prior, general authorisation for the Supplier to:
14.6.1 appoint processors to process the Customer Personal Data, provided that the Supplier:
a. shall ensure that the terms on which it appoints such processors comply with Data Protection Legislation, and are consistent with the obligations imposed on the Supplier in this Clause 14;
b. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Supplier; and
c. shall inform the Customer of any intended changes concerning the addition or replacement of the processors, thereby giving the Customer the opportunity to object to such changes provided that if the Customer objects to the changes and cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier for Processing in accommodating the objection.
14.6.2 transfer Personal Data (within outside of the timescales UK as required for the Purpose, provided that the Supplier shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For these purposes, the Customer shall promptly comply with any reasonable request of the Supplier, including any request to enter into standard data protection clauses adopted by the Authority); and
EU Commission from time to time (cwhere the EU GDPR applies to the transfer) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it adopted by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, Commissioner from time to time (where the Authority UK GDPR applies to the transfer).
14.7 Either party may, at any time on not less than 30 days' notice, revise this Clause 16 by replacing it with any applicable controller to processor standard clauses or Other Contracting Body concerned consents similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to Processing and/or transfer outside the European Economic Area, to comply with:this agreement).
(i) the obligations 14.8 The Supplier's liability for losses arising from breaches of a Data Controller under the Eighth Data Protection Principle this Clause 14 is as set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedClause 16.4.2.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Terms and Conditions for Supply of Goods and Services
Data Protection. 22.1 28.1 With respect to the Partiesparties' rights and obligations under this Framework Funding Agreement, the Parties parties agree that the Authority Secretary of State is the Data Controller and that the Supplier ERDF Recipient is the Data Processor.
22.2 28.2 The Supplier shall:ERDF Recipient shall:-
22.2.1 Process (a) process the Personal Data only in accordance with instructions from the Authority Secretary of State (which may be specific instructions or instructions of a general nature as set out in this Framework Funding Agreement or as otherwise notified by the Authority Secretary of State to the Supplier ERDF Recipient during the Termterm of this Funding Agreement);
22.2.2 Process (b) process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Project Activities or as is required by Law or any Regulatory Body;
22.2.3 (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 (d) take all reasonable steps to ensure the reliability of any Supplier’s Staff ERDF Recipient Personnel who have access to the Personal Data;
22.2.5 (e) obtain prior Approval written consent from the Authority Secretary of State in order to transfer the Personal Data to any Sub-Contractors contractors or Affiliates affiliates for the provision of the ServicesProject Activities;
22.2.6 (f) ensure that all Supplier Staff ERDF Recipient Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 20;
22.2.7 (g) ensure that none of Supplier’s Staff ERDF Recipient Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthoritySecretary of State;
22.2.8 (h) notify the Authority Secretary of State (within five (5Working Days) Working Days if it receives:receives:-
(ai) a request from a Data Subject to have access to that person's Personal Data; or
(bii) a complaint or request relating to the Authority's Secretary of State’s obligations under the Data Protection Legislation;
22.2.9 (i) provide the Authority Secretary of State with full cooperation and assistance in relation to any complaint or request made, including by:by:-
(ai) providing the Authority Secretary of State with full details of the complaint or request;
(bii) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Secretary of State’s instructions;
(ciii) providing the Authority Secretary of State with any Personal Data personal data it holds in relation to a Data Subject (within the timescales required by the AuthoritySecretary of State); and
(div) providing the Authority Secretary of State with any information requested by the AuthoritySecretary of State;
22.2.10 The Supplier shall:
(aj) permit the Authority Secretary of State or a representative of the Authority’s Representative Secretary of State (Following the closure of the UK Audit Commission on 31 March 2015 visit ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/uploads/system/uploads/attachment_data/fil e/418033/AC_Future_functions_at_a_glance.pdf to identify which organisation is the successor body or repository for information in a number of common scenarios.), to inspect and audit (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the SupplierERDF Recipient's data Data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority Secretary of State to enable the Authority Secretary of State to verify and/or procure that the Supplier ERDF Recipient is in full compliance with its Data Processing obligations under this Framework Funding Agreement;
(bk) provide a written description of the technical and organisational methods employed by the Supplier ERDF Recipient for Processing processing Personal Data (within the timescales required by the AuthoritySecretary of State); and
(cl) not cause or permit to be Processed and/or otherwise transferred Process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Secretary of State and, where the Authority or Other Contracting Body concerned Secretary of State consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedSecretary of State.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Funding Agreement
Data Protection. 22.1 With 15.1 The Service Provider and the Service Recipient acknowledge and agree that where the Service Provider or the Service Recipient processes personal data under or in connection with this Agreement it alone determines the purposes and means of processing as a controller.
15.2 In respect of the personal data that the Service Provider or the Service Recipient processes under or in connection with this Agreement, it:
15.2.1 shall comply at all times with its obligations under the data protection law;
15.2.2 shall notify the other Party without undue delay after, and in any event within twenty four (24) hours of, becoming aware of a personal data breach; and
15.2.3 shall assist and co-operate fully with the other Party to enable it to comply with its obligations under the Parties' data protection law, including but not limited to in respect of keeping personal data secure, dealing with personal data breaches, complying with the rights of data subjects and carrying out data protection impact assessments.
15.3 In respect of the personal data that the Service Provider processes under or in connection with this Agreement, the Service Provider shall only process such personal data for the purposes of performing its obligations under this Framework Agreement.
15.4 The Service Provider and the Service Recipient shall work together to ensure that each of them is able to process the personal data that it processes under or in connection with this Agreement for the purposes contemplated by this Agreement lawfully, fairly and in a transparent manner and in compliance with the data protection law. This shall include but not be limited to entering into such other written agreements as may be required from time to time to enable the Service Provider and/or the Service Recipient to comply with the data protection law.
15.5 The activities of the Service Provider under or in connection with this Agreement in respect of which the Service Provider processes personal data as a processor on behalf of the Service Recipient, together with the data protection particulars for such processing, are stated in Appendix 10 (Data Privacy and Information Security Addendum). In addition to Clauses 15.2, 15.3 and 15.4, where, under or in connection with this Agreement, the Parties agree that Service Provider processes personal data as a processor on behalf of the Authority is Service Recipient, the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier Service Provider shall:
22.2.1 Process 15.5.1 subject to Clause 15.5.2, only carry out such processing on the Personal Data only Service Recipient’s instructions from time to time. The Service Provider shall immediately inform the Service Recipient if, in its opinion, an instruction infringes any relevant data protection law;
15.5.2 where it is required by Applicable Law to carry out processing otherwise than in accordance with instructions Clause 15.5.1, inform the Service Recipient of the legal requirement before carrying out such processing (unless prohibited from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified doing so by the Authority to the Supplier during the TermApplicable Law);
22.2.2 Process 15.5.3 not disclose the Personal Data only personal data to any person except as required or permitted by this Agreement or with the extentService Recipient’s prior written consent;
15.5.4 without prejudice to Clause 21 (Confidentiality), and in such manner, as it necessary for ensure that all persons authorised to process the provision personal data are under an appropriate contractual or other legal obligation to keep the personal data confidential;
15.5.5 taking account of the Services or as is required by Law or any Regulatory Body;
22.2.3 nature of the processing, implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesmeasures:
(a) in a request from a Data Subject to have access to manner that person's Personal Dataensures the processing meets the requirements of the data protection law and the protection of the rights of data subjects; or
(b) a complaint or request relating to keep the Authority's obligations under personal data secure and to protect against the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation risk of personal data breaches; and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing to assist the Authority with any Personal Data it holds in relation Service Recipient to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementthe data protection law to respond to requests for exercising the rights of data subjects;
(b) provide a written description 15.5.6 not process the personal data, or disclose the personal data to any party who carries on business, outside of the technical United Kingdom and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area except with the Service Recipient’s prior written consent and, where such consent is given, the Service Provider shall take such actions and enter into such agreements as the Service Recipient may require to ensure that such processing or disclosure complies with all relevant data protection law;
15.5.7 not enter into an arrangement with any Personal Data supplied sub-contractor to it by process the Authority personal data directly or any Other Contracting Body indirectly on behalf of the Service Recipient without the prior written consent of the Authority or Contracting Body concerned Service Recipient and, where such consent is given, the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside Service Provider shall enter into a written agreement with the European Economic Areasub-contractor that includes, to comply with:
(i) the obligations of as a Data Controller under the Eighth Data Protection Principle set out minimum, provisions in Schedule 1 favour of the Service Recipient which are equivalent to those in this Clause 15 (Data Protection Act 1998 by providing an adequate level of protection Protection). The Service Provider shall remain fully liable to the Service Recipient for any Personal Data that is transferredsub-contractors’ processing personal data; and
(ii) 15.5.8 at the Service Recipient’s option, delete or return to the Service Recipient all the personal data on termination of this Agreement and delete any reasonable instructions notified existing copies of the personal data except to it the extent that the Service Provider is required to retain such personal data by the Authority or Contracting Body concernedApplicable Law.
22.2.11 15.6 The Supplier Service Provider shall comply at make available to the Service Recipient all times information necessary to demonstrate its compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as Clause 15 (Data Protection) and the Service Recipient reserves the right to cause audit the Authority to breach any of Service Provider’s compliance with its applicable obligations under this Clause 15 (Data Protection) in accordance with Clause 16 (Records and Audit Access).
15.7 The Service Provider’s obligations under this Clause 15 (Data Protection) shall continue throughout this Agreement and for a period of seven (7) years thereafter or such other period as the Service Recipient may require or as may be required pursuant to Applicable Law.
15.8 For the purposes of this Clause 15 (Data Protection Legislation.Protection) and Appendix 10 (Data Privacy and Information Security Addendum):
Appears in 1 contract
Sources: Inter Group Services Agreement (Fidelis Insurance Holdings LTD)
Data Protection. 22.1 With respect ‘Data Protection Requirements’ means the Data Protection Act 1998, the EU Data Protection Directive 95/46EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI2000/2699), the Privacy & Electronic Communications (EC Directive) Regulations 2003, all applicable laws and regulations relating to the Parties' rights processing of personal data and privacy including as applicable the guidance and codes of practice issued by the Information Commissioner.
18.1 The Service Provider’s attention is hereby drawn to the Data Protection Requirements. The Client and the Service Provider shall observe their obligations under the Data Protection Requirements.
18.2 Where the Service Provider pursuant to its obligations under this Framework AgreementPartnering Contract, the Parties agree that the Authority is processes Personal Data (as defined under the Data Controller and that Protection Act 1998) on behalf of the Supplier is the Data Processor.
22.2 The Supplier Client, it shall:
22.2.1 18.1 Process the Personal Data only in accordance with instructions from the Authority Client (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Partnering Contract or as otherwise notified by the Authority Client to the Supplier Service Provider during the Term);
22.2.2 18.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Bodyregulatory body;
22.2.3 implement 18.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all 18.4 Take reasonable steps to ensure the reliability of any SupplierService Provider’s Staff personnel who have access to the Personal Data;
22.2.5 obtain 18.5 Obtain prior Approval written consent from the Authority Client in order to transfer the Personal Data to any Subsub-Contractors or Affiliates contractors for the provision of the Services;
22.2.6 ensure 18.6 Ensure that all Supplier Staff any Service Provider’s personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Clause;
22.2.7 ensure 18.7 Ensure that none of Supplierthe Service Provider’s Staff personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityClient;
22.2.8 notify 18.8 Notify the Authority Client (within five (5) Working Days working Days) if it receives:
(a1) a request from a Data Subject (as defined under the Data Protection Act 1998) to have access to that person's ’s Personal Data; or
(b2) a complaint or request relating to the Authority's Client’s obligations under the Data Protection LegislationRequirements;
22.2.9 provide 18.9 Provide the Authority Client with full cooperation and assistance in relation to any complaint or request made, including by:
(a1) providing the Authority Client with full details of the complaint or request;
(b2) complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's instructionsinstructions from the Client;
(c3) providing the Authority Client with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityClient); and
(d4) providing the Authority Client with any information requested by the AuthorityClient;
22.2.10 The Supplier shall:
(a) permit 18.10 Permit the Authority Client or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's Service Provider’s data Processing processing activities (and/or those of its agents, subsidiaries and Subdirect sub-Contractorscontractors) and comply with all reasonable requests or directions by the Authority Client to enable the Authority Client to verify and/or procure that the Supplier Service Provider is in full compliance with its obligations under this Framework AgreementPartnering Contract;
(b) provide 18.11 Provide a written description of the technical and organisational methods employed by the Supplier Service Provider for Processing processing Personal Data (within the timescales required by the AuthorityClient); and
(c) not cause or permit to be Processed and/or otherwise transferred 18.12 Not process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Client and, where the Authority or Other Contracting Body concerned Client consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i1) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii2) any reasonable instructions notified to it by the Authority or Contracting Body concernedClient.
22.2.11 18.3 The Supplier Service Provider shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Partnering Contract in such a way as to cause the Authority Client to breach any of its applicable obligations under the Data Protection LegislationRequirements.
18.4 The Client may from time to time serve on the Service Provider an information notice requiring the Service Provider within such time and in such form as is specified in the information notice, to furnish to the Client such information as the Client may reasonably require relating to:
18.4.1 compliance by the Service Provider with the Service Provider’s obligations under this Partnering Contract in connection with the processing of Personal Data; and/or
18.4.2 the rights of data subjects, including but not limited to subject access rights.
18.5 The Service Provider will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Client or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Partnering Contract.
18.6 With respect to the parties’ rights and obligations under this Partnering Contract, the parties acknowledge that the Client is the Data Controller and the Service Provider is the Data Processor (as each term is defined in the Data Protection Requirements). Where the Service Provider wishes to appoint a Specialist to assist it in providing the Term Programme and such assistance includes the processing of Personal Data on behalf of the Client, relating to the appointment of the Specialist, the Client hereby grants to the Service Provider delegated authority to appoint on the Client’s behalf such Specialist to process Personal Data provided that the Service Provider shall notify the Client in writing of such appointment and the identity and location of such Specialist. The Service Provider shall include substantially the same wording with respect to Data Protection Requirements as are set out in this Partnering Contract, including the terms set out in this document.
18.7 Save as set out in this document any unauthorised processing, use or disclosure of Personal Data by the Service Provider is strictly prohibited.
18.8 The Service Provider shall be liable for and shall indemnify (and keep indemnified) the Client against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and Client basis) and demands incurred by the Client which arise directly or in connection with the Service Provider’s data processing activities under this Partnering Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Service Provider or its employees, servants, agents or Specialists.
Appears in 1 contract
Sources: Term Partnering Contract
Data Protection. 22.1 With respect 23.1. In relation to any Personal Data processed in performance of the Parties' rights and Services, each Party shall comply with its respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 including any amendments or other applicable legislation (“Data Protection Laws”). For the purposes of this Framework Agreement, Agreement the Parties parties agree that the Authority Member is the Data Controller and that the Supplier PeoplePlus is the Data Processor.
22.2 23.2. The Supplier Member may provide Personal Data to PeoplePlus together with such other information as may reasonably be required in order for PeoplePlus to provide the Services. The Member warrants and represents that it has obtained all the necessary consents and/or approvals required for the collection, processing and sharing of any Personal Data with PeoplePlus.
23.3. PeoplePlus warrants that it shall:
22.2.1 Process 23.3.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions Data Protection Laws and the terms of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreement;
22.2.2 Process 23.3.2 process the Personal Data only strictly in accordance with the Client’s lawful instructions as communicated to the extent, and PeoplePlus in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Bodywriting from time to time;
22.2.3 implement appropriate technical and organisational measures 23.3.3 ensure that only PeoplePlus personnel who may be required to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures assist it in meeting its obligations under this Agreement shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage have access to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable necessary steps to ensure the reliability of any Supplier’s Staff who have all of its personnel with access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 personal data and ensure that all Supplier Staff required such personnel are bound by a duty to access keep the Personal Data are informed of the confidential nature personal data confidential; and
23.3.4 have in place and shall maintain appropriate operational and technological processes and procedures to safeguard against any unauthorised access, loss, destruction, theft, use or disclosure of the Personal Data and comply Data.
23.3.5 Notify the Client in writing:
23.3.6 of any complaint which relates directly to the processing of the personal data or to either Party’s compliance with the obligations Applicable Data Protection Laws;
23.3.7 if the instructions for PeoplePlus set out in this Clause 22 (Agreement infringe Applicable Data Protection)Protection Laws; or
23.3.8 without undue delay about a personal data breach relating to personal data processed by PeoplePlus under this Agreement, and shall provide the Client with full co-operation and assistance in relation to the same;
22.2.7 ensure 23.3.9 PeoplePlus will, to the extent legally permissible, promptly notify the Client if it receives any complaint, dispute or information requests which may be received from Data Subjects and provide assistance, including but not limited to:
23.3.9.1 requests of data subjects to access, rectify, delete, erase, receive or restrict the processing of their personal data;
23.3.9.2 security of processing and notification of personal data breaches;
23.3.9.3 data protection impact assessments; and use reasonable endeavours to enable the Client to comply with such requests. For further information on data subject rights under current data legislation please consult the PeoplePlus Client Privacy Policy. A copy is available on request at ▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇.
i) For the avoidance of doubt, it is agreed that none of Supplier’s Staff publishif any costs are involved in respect to the above or PeoplePlus, as processor, incurs any costs, these costs shall be borne by the Client.
23.3.10 PeoplePlus shall not disclose or divulge any of the Personal Data to any third party unless directed party, other than those engaged in writing to do so provision of the Service or as required by operation of law.
23.3.11 No Personal Data may be processed outside of the AuthorityEEA without the express written permission of the Client.
23.3.12 The scope of the processing carried out by PeoplePlus under this Agreement is as follows:
23.3.12.1 scope, nature and purpose of processing: For delivery of the Services set out in Schedule 1;
22.2.8 notify 23.3.12.2 duration: For the Authority within five (5) Working Days if it receives:term of this Agreement; and
(a) a request from a Data Subject 23.3.12.3 types of personal data and categories of data subjects: name, address, email and contact details of the Learners and Client employees.
23.3.13 The Client shall provide all reasonable assistance to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's PeoplePlus in fulfilling its obligations under the Data Protection Legislation;Laws and if it comes to know of any compliance to be fulfilled by PeoplePlus it shall inform PeoplePlus of it immediately.
22.2.9 provide 23.3.14 PeoplePlus agrees to indemnify the Authority with full cooperation and assistance Client against any direct losses suffered or incurred by the Client due to breach by PeoplePlus. Notwithstanding any provision in relation to any complaint or request madethis Agreement, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with PeoplePlus’s liability for a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
breach shall be limited to £500,000 (c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakingsfive hundred thousand), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Services Agreement
Data Protection. 22.1 17.1. With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 Processor in relation to Authority Personal Data. The Supplier shall:shall (and shall procure that Staff) comply with any notification requirements under the Data Protection Legislation
22.2.1 Process 17.2. Notwithstanding the general obligation in Clause 17.1, where the Supplier is Processing any Authority Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the security of the Authority Personal Data (and to guard against unauthorised or unlawful Processing of the Authority Personal Data and against accidental lossloss or destruction of, destructionor damage to, damagethe Authority Personal Data), alteration or disclosure. These measures shall be appropriate as required under the ‘Seventh Data Protection Principle’ in schedule 1 to the harm which might result from Data Protection ▇▇▇ ▇▇▇▇ and shall:
17.2.1. provide the Authority with such information as the Authority may reasonably request to satisfy itself that the Supplier is complying with its obligations under the Data Protection Legislation;
17.2.2. promptly notify the Authority of any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature breach of the Personal Data which is security measures to be protectedput in place pursuant to this Clause 17.2;
22.2.4 17.2.3. ensure that it does not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the Data Protection Legislation;
17.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Authority Personal Data;
22.2.5 17.2.5. obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 17.2.6. ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)17;
22.2.7 17.2.7. ensure that none of Supplier’s the Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 17.2.8. notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;; and
22.2.9 17.2.9. provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to the Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;.
22.2.10 17.3. The Supplier shall:
(a) permit the Authority shall not Process or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data supplied in or to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer anywhere outside the European Economic Area, the following provisions shall apply:
(a) the Supplier shall propose a variation to comply withthe Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause Error! Reference source not found. (Variation Procedure) and Clauses 1.1.1(b) to 1.1.1(d);
(b) the Supplier shall set out in its proposal to the Authority for a Variation, details of the following:
(i) the obligations of a Personal Data Controller under which will be transferred to and/or Processed in or to any Restricted Countries;
(ii) the Eighth Restricted Countries to which the Personal Data Protection Principle set out will be transferred and/or Processed; and
(iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Schedule 1 of Restricted Countries;
(iv) how the Data Protection Act 1998 by providing Supplier will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority’s compliance with the DPA;
(c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
(d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and
(ii) procuring that any reasonable instructions notified to it Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority on such terms as may be required by the Authority; or
(B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Authority or Contracting Body concernedand the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 17.4. The Supplier shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority’s obligations under the Data Protection Legislation.DPA to the extent
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect to 35.1 Where any Personal Data is Processed in connection with the exercise of the Parties' ’ rights and obligations under this Framework AgreementCall Off Contract, the Parties agree acknowledge that the Authority Customer is the Data Controller and that the Supplier is the Data Processor.
22.2 35.2 The Supplier shall:shall:
22.2.1 (a) Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in Customer to perform its obligations under this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Call Off Contract;
22.2.2 Process (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data only and/or accidental loss, destruction, or damage to the extent, and in such manner, as it Personal Data;
(c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the transfer of Personal Data against unauthorised or unlawful Processing and against accidental lossto any third party, destruction, damage, alteration or disclosure. These measures shall be appropriate to obtain the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature prior written consent of the Personal Data which Customer (save where such disclosure or transfer is to be protected;specifically authorised under this Call Off Contract)
22.2.4 (d) take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Supplier Personnel who have access to the Personal DataData and ensure that the Supplier Personnel:
(i) are aware of and comply with the Supplier’s duties under the Call Off Contract;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (ii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose disclose, or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer or as otherwise permitted by this Call Off Contract; and
(iii) have undergone adequate training in the use, care, protection, and handling of Personal Data (as defined in the DPA);
22.2.8 (e) notify the Authority within five (5) Working Days Customer immediately if it receives:becomes aware of a Data Loss Event or if it receives:
(ai) a request from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to have access rectify, block or erase any Personal Data or any other request, complaint or communication relating to that personthe Customer's obligations under the DPA;
(ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
(biii) a complaint request from any third party for disclosure of Personal Data where compliance with such request is required or request relating purported to the Authority's obligations under the Data Protection Legislationbe required by Law;
22.2.9 (f) provide the Authority Customer with full cooperation and assistance (within the timescales reasonably required by them) in relation to any complaint complaint, communication or request made, made (as referred to at Clause 35.2(e)) including byby promptly providing:
(ai) providing the Authority Customer with full details and copies of the complaint complaint, communication, or request;
(bii) complying where applicable, such assistance as is reasonably requested by the Customer to enable them to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;DPA; and
(ciii) providing the Authority Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject Subject; and
(within the timescales required g) if requested by the AuthorityCustomer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 35.2(e) and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training, and manuals.
35.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the following provisions shall apply:
(a) the Supplier shall propose a Variation to the Customer which, if it is agreed by them, shall be dealt with in accordance with the Variation Procedure;
(b) the Supplier shall set out in its proposal to the Customer for a Variation details of the following:
(i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries;
(ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and
(iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries;
(iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA;
(c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance, and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and shall comply with all reasonable requests or directions by such other instructions and shall carry out such other actions as the Authority to enable the Authority to verify and/or procure that the Supplier is Customer may notify in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andwriting, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withincluding:
(i) incorporating standard and/or model clauses (which are approved by the obligations of a Data Controller Information Commissioners Office as offering adequate safeguards under the Eighth Data Protection Principle set out in Schedule 1 of DPA) into this Call Off Contract or a separate data processing agreement between the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredParties; and
(ii) procuring that any reasonable instructions notified Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(1) a direct data processing agreement with the Customer on such terms as may be required by them; or
(2) a data processing agreement with the Supplier on terms which are equivalent to it those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and
(iii) in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way Information Commissioners Office as to cause the Authority to breach any of its applicable obligations offering adequate safeguards under the Data Protection LegislationDPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data.
Appears in 1 contract
Sources: Goods and/or Services Contract
Data Protection. 22.1 With respect to 23.1 Both Parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 23 is in addition to, and does not relieve, remove or replace, a party’s obligations under this Framework Agreementthe Data Protection Legislation.
23.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. The only processing that the Supplier is authorised to do by the Authority is in accordance with written instructions and may not be determined by the Supplier.
22.2 23.3 The Supplier shall:will notify the Authority immediately if it considers that any of the Authority’s instructions infringe Data Protection legislation.
22.2.1 Process 23.4 Without prejudice to the generality of clause 23.1, the Authority will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during for the Term)duration and purposes of this agreement.
23.5 The Supplier shall provide all reasonable assistance to the Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Contractor, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
22.2.2 Process (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
23.6 Without prejudice to the generality of clause 23.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:
(a) process that Personal Data only to on the extent, and in such manner, as it necessary for the provision written instructions of the Services or as Authority, unless the Supplier is required to do otherwise by Law or any Regulatory Bodythe Law. If it is so required, the Supplier shall promptly notify the Authority before processing the Personal Data, unless prohibited by Laws;
22.2.3 implement (b) ensure that it has in place appropriate technical and organisational measures which have been reviewed and approved by the Authority, to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) the state of technological development; and
(iv) the cost of implementing any measures
(c) the Supplier’s Personnel do not process Personal Data except in accordance with this Agreement;
(d) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Personnel who have access to the Personal DataData and ensure that they:
(i) are aware of and comply with the Supplier’s duties under this clause;
22.2.5 obtain prior Approval from (ii) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Sub-Contractors or Affiliates for the provision of the Services;Processor
22.2.6 ensure that all Supplier Staff required to access the Personal Data (iii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:or as otherwise permitted by this Agreement; and
(aiv) a request from a Data Subject to have access to that person's undergone adequate training in the use, care, protection and handling of Personal Data; orand
(be) a complaint not transfer any Personal Data outside of the EU unless the prior written consent of the
(i) the Authority or request relating the Supplier has provided appropriate safeguards in relation to the Authority's transfer;
(ii) the Data Subject has enforceable rights and effective remedies;
(iii) the Supplier complies with its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(iiiv) any the Supplier complies with the reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data;
(f) at the written direction of the Authority, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data.
22.2.11 23.7 The Supplier shall comply at all times notify the Authority immediately and within 48 hours of receipt, if it receives:
(a) a request from a Data Subject Access Request (or purported Data Subject Access Request);
(b) a request to rectify, block or erase any Personal Data;
(c) any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner);
(d) a request from any third party for disclosure of Personal Data where compliance with such request as required or purported to be required by Law; or
(e) becomes aware of a Data Loss Event.
23.8 The Supplier shall provide the Authority with full assistance in relation to either Party’s obligations under the Data Protection Legislation and shall not perform its obligations any complaint, communication or request made under this Framework Agreement in clause 23.7:
(a) by promptly providing within 5 working days:
i. the Authority with full details and copies of the complaint, communication or request;
ii. such a way assistance as to cause is reasonably requested by the Authority to breach any of its applicable obligations under enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
iii. the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; or
iv. assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner’s Office.
(b) immediately within 24 hours of the request by the Authority following a Data Loss Event;
23.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 23
23.10 The Supplier shall allow for audits by the Authority or the Authority’s designated auditor pursuant to clause 25;
23.11 Before allowing any Sub-Contractor pursuant to clause 18 to process any Personal Data relating to this agreement, it shall:
(a) notify the Authority in writing of the intended processing by the Sub-Contractor;
(b) obtain prior written consent from the Authority to the processing;
(c) ensure that any Sub-Contract imposes obligations on the Sub-Contractor to give effect to the terms set out in this clause 23.
23.12 The Supplier shall remain fully liable for all the acts or omissions of any sub-contractor.
23.13 Either Party may, at any time on not less than 30 Working Days’ written notice to the other party, revise this clause 23 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
Appears in 1 contract
Sources: Contract for the Provision of Clinical Waste Services
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier‟s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Courier Services Framework Agreement
Data Protection. 22.1 With respect to 23.1 Both Parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 23 is in addition to, and does not relieve, remove or replace, a party’s obligations under this Framework Agreementthe Data Protection Legislation.
23.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. The only processing that the Supplier is authorised to do by the Authority is in accordance with written instructions and may not be determined by the Supplier.
22.2 23.3 The Supplier shall:will notify the Authority immediately if it considers that any of the Authority’s instructions infringe Data Protection legislation.
22.2.1 Process 23.4 Without prejudice to the generality of clause 23.1, the Authority will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during for the Term);duration and purposes of this agreement.
22.2.2 Process 23.5 The Supplier shall provide all reasonable assistance to the Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Contractor, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
23.6 Without prejudice to the generality of clause 23.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: process that Personal Data only to on the extent, and in such manner, as it necessary for the provision written instructions of the Services or as Authority, unless the Supplier is required to do otherwise by Law or any Regulatory Body;
22.2.3 implement the Law. If it is so required, the Supplier shall promptly notify the Authority before processing the Personal Data, unless prohibited by Laws; ensure that it has in place appropriate technical and organisational measures which have been reviewed and approved by the Authority, to protect against a Data Loss Event having taken account of the: nature of the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall data to be appropriate to the protected; harm which that might result from a Data Loss Event; the state of technological development; and the cost of implementing any unauthorised or unlawful Processing, accidental loss, destruction or damage to measures the Supplier’s Personnel do not process Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take except in accordance with this Agreement; it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Personnel who have access to the Personal Data;
22.2.5 obtain prior Approval from Data and ensure that they: are aware of and comply with the Authority in order Supplier’s duties under this clause; are subject to transfer appropriate confidentiality undertakings with the Personal Data to Supplier or any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data Processor are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify Authority or as otherwise permitted by this Agreement; and have undergone adequate training in the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with not transfer any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where has been obtained and the following conditions are fulfilled: the Authority or Other Contracting Body concerned consents the Supplier has provided appropriate safeguards in relation to Processing and/or transfer outside the European Economic Area, to comply with:
(i) transfer; the Data Subject has enforceable rights and effective remedies; the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any and the Supplier complies with the reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; at the written direction of the Authority, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data.
22.2.11 23.7 The Supplier shall comply at all times notify the Authority immediately and within 48 hours of receipt, if it receives: a request from a Data Subject Access Request (or purported Data Subject Access Request); a request to rectify, block or erase any Personal Data; any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner); a request from any third party for disclosure of Personal Data where compliance with such request as required or purported to be required by Law; or becomes aware of a Data Loss Event.
23.8 The Supplier shall provide the Authority with full assistance in relation to either Party’s obligations under the Data Protection Legislation and shall not perform its obligations any complaint, communication or request made under this Framework Agreement in clause 23.7: by promptly providing within 5 working days: the Authority with full details and copies of the complaint, communication or request; such a way assistance as to cause is reasonably requested by the Authority to breach any of its applicable obligations under enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; or assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner’s Office. immediately within 24 hours of the request by the Authority following a Data Loss Event;
23.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 23
23.10 The Supplier shall allow for audits by the Authority or the Authority’s designated auditor pursuant to clause 25;
23.11 Before allowing any Sub-Contractor pursuant to clause 18 to process any Personal Data relating to this agreement, it shall: notify the Authority in writing of the intended processing by the Sub-Contractor; obtain prior written consent from the Authority to the processing; ensure that any Sub-Contract imposes obligations on the Sub-Contractor to give effect to the terms set out in this clause 23.
23.12 The Supplier shall remain fully liable for all the acts or omissions of any sub-contractor.
23.13 Either Party may, at any time on not less than 30 Working Days’ written notice to the other party, revise this clause 23 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
Appears in 1 contract
Data Protection. 22.1 With respect 15.1 Each party shall comply and shall procure that any of its staff involved in the activities under this Agreement shall comply with the provisions imposed on them by the Data Protection Laws. This clause 15 is supplemental to the Parties' rights and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws.
15.2 Each party shall maintain records of all its Personal Data processing operations relating to this Framework Agreement such that these records contain at least the minimum information required by the Data Protection Laws and each party shall make such information available to an applicable regulator on request.
15.3 The parties acknowledge that for the purposes of the Data Protection Laws, the intention of the parties is that the Client is the controller and TalenTeam is the processor.The Data Processing Annex attasched to each SOW sets out details of the processing of Personal Data to be undertaken by TalenTeam in connection with that SOW, the types of Personal Data, categories of Data Subjects, and nature and purposes of processing. Such processing shall take place throughout the duration of this Agreement.
15.4 To the extent that TalenTeam processes any Personal Data on behalf of the Client pursuant to this Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier TalenTeam shall:
22.2.1 Process the 15.4.1 process such Personal Data only in accordance with the Client’s written instructions from the Authority time to time (which may be specific instructions or instructions of a general nature as including those set out in this Framework Agreement or as otherwise notified by the Authority Agreement) save for processing which TalenTeam is required to the Supplier during the Term)do pursuant to any applicable law;
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.4.2 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesthat:
(a) access to such Personal Data is limited to its personnel who need to access it in order to meet TalenTeam’s obligations under this Agreement;
(b) in the case of access by its personnel, access to such Personal Data is limited to such part or parts of the Personal Data as is strictly necessary for performance of that member of personnel’s own duties; and
(c) any personnel who have access to such Personal Data are subject to binding obligations of confidentiality when processing such Personal Data;
15.4.3 implement and maintain technical and organisational measures and procedures to ensure an appropriate level of security for such Personal Data, including protecting such Personal Data against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access;
15.4.4 inform the Client if any such Personal Data is (while within TalenTeam's possession or control) subject to a personal data breach (as defined in Article 4 of GDPR or UK GDPR, as applicable) without undue delay after becoming aware;
15.4.5 not disclose any such Personal Data to any Data Subject or to a third party other than at the written request of the Client, in order to comply with a requirement of a regulator having authority over TalenTeam, or as expressly provided for in this Agreement;
15.4.6 at the written request of the Client, return or delete all such Personal Data on termination or expiry of this Agreement, and not make any further use of such Personal Data (except to the extent that applicable law or the Client’s administrative and regulatory requirements requires continued storage of any such Personal Data by TalenTeam);
15.4.7 provide to the Client and any regulator (at the Client’s cost and at TalenTeam’s then time and material rates for any repeat requests) all records, information and assistance necessary to demonstrate or ensure compliance with the obligations in this clause 14.4;
15.4.8 no more than once every calendar year and subject to TalenTeam having the right to do so, permit the Client or its representatives (at the Client’s cost) to access any relevant premises (subject to Talennteam having the right to permit such access), personnel or records of TalenTeam on reasonable notice (but being no less than fifteen (15) Business Days) to audit and otherwise verify compliance with this clause 15.4, unless such audit is required by a regulator or in circumstances where TalenTeam has reported a personal data breach in which case it can be carried out as necessary and with as much written notice as the Client is able reasonably to give;
15.4.9 take such steps as are reasonably required to assist the Client (at the Client’s cost at TalenTeam’s then time and material rates, for any onerous or repeat requests) to comply with the Client’s obligations under Articles 30 to 36 (inclusive) of the GDPR (or UK GDPR as applicable) as they relate to TalenTeam’s obligations under this Agreement;
15.4.10 notify the Client within seven (7) Business Days if it receives a request from a Data Subject to have access exercise its rights under the Data Protection Laws in relation to that person's Personal Data; orand
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 15.4.11 provide the Authority Client with full cooperation its reasonable co-operation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with made by a data access request within the relevant timescales set out in Data Subject to exercise its rights under the Data Protection Legislation and Laws in accordance with relation to that person's Personal Data. TalenTeam shall not charge for such requests unless such request is manifestly unjust or excessive, in which case TalenTeam shall reserve the Authority's instructions;right to charge the Client a reasonable administration fee; and
(c) providing the Authority with 15.4.12 not transfer any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those outside of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of the Authority Client has been obtained, not to be unreasonably withheld or Contracting Body concerned anddelayed, where and one of the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside following conditions has been fulfilled under the European Economic Area, to comply withapplicable Data Protection Laws:
(ia) the obligations of transfer is to a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing country or territory which provides an adequate level of protection protection;
(b) the transfer is made subject to appropriate safeguards; or
(c) a relevant derogation exists.
15.5 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority other party or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times to either party's compliance with the Data Protection Legislation Laws, it shall promptly notify the other party and shall not perform provide the other party with reasonable co-operation and assistance in relation to any such complaint, notice or communication.
15.6 Where the Client or an Authorised User transfers Personal Data to TalenTeam, whether as part of the Service or otherwise, the Client warrants to TalenTeam that it has secured a lawful data processing ground, in accordance with and in compliance with applicable Data Protection Laws, to process such Personal Data and to share such Personal Data with TalenTeam.
15.7 The Client hereby indemnifies TalenTeam for any DP Losses incurred as a result of:
15.7.1 a claim by a data subject whose Personal Data has been provided by or on behalf of the Client to TalenTeam pursuant to the Service Contract, that there is no lawful basis of processing that Personal Data in accordance with the terms of this Agreement; and/or
15.7.2 a breach of a data subject’s rights under Data Protection Laws, arising out of any written instructions provided by or on behalf of the Client to TalenTeam pursuant to this Agreement or otherwise relating to Personal Data; and/or
15.7.3 a breach by the Client of its warranty in clause 14.6.
15.8 TalenTeam hereby indemnifies the Client for any DP Losses incurred solely as a result of a breach by TalenTeam of its obligations under pursuant to clause 14.
15.9 TalenTeam may subcontract its processing of Personal Data on behalf of the Client, for the sole purpose of providing a part of the Services or enabling TalenTeam to provide the Services. TalenTeam shall procure that any such sub-contractor enters into a written contract with TalenTeam which contains obligations for the protection of Personal Data which are no less onerous than those set out in this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.clause
Appears in 1 contract
Sources: Master Services Agreement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data ProcessorProcessor in relation to Authority Personal Data.
22.2 The Supplier shall:
22.2.1 Process the Authority Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Authority Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Available Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Authority Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Authority Personal Data and having regard to the nature of the Authority Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Authority Personal Data;
22.2.5 obtain prior Approval written consent from the Authority in order to transfer the Authority Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors or Affiliates Contractor) for the provision of the Available Services;
22.2.6 ensure that all Supplier Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to Authority Personal Data relating to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request mademade relating to Authority Personal Data, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Authority Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and
(d) providing the Authority with any information requested by the Authority;
22.2.10 22.3 The Supplier shall:
(a) 22.3.1 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect 14.1 Where applicable and subject to the Parties' rights and obligations under this Framework Agreementclause 14.7, the Parties agree that the Authority Client is the "Data Controller Controller" and that the Supplier is the Data "Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance " with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority respect to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation provided to Supplier by Client.
14.2 As a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Processor, Supplier shall:
(a) permit process any Personal Data in accordance with the Authority instructions of Client, the Data Protection Legislation and / or the Authority’s Representative (subject to the reasonable provisions of this Agreement, and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementfor no other purpose;
(b) provide a written description of the take appropriate technical and organisational methods employed by the Supplier for Processing organizational measures to prevent unauthorized or unlawful processing of Personal Data (within the timescales required by the Authority); andData, as well as any accidental damage, loss or destruction thereof;
(c) take all reasonable steps to ensure that all Supplier (and its Affiliates) Representatives who access, or process Personal Data are required to maintain confidentiality;
(d) Except as provided in Section 14.5 of these Terms and Conditions, Supplier will not cause or permit to be Processed and/or otherwise transferred transfer any Personal Data outside the European Economic Area any Personal Data supplied to unless it by the Authority or any Other Contracting Body without has obtained the prior written consent of from Client, and that the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are met:
(i) Supplier has provided appropriate precautions regarding this transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any for all Personal Data that is transferred; and
(iiiv) any comply with all reasonable instructions regarding the processing of Personal Data, which Client has notified to it by the Authority or Contracting Body concerned.in advance;
22.2.11 The Supplier shall comply (e) assist Client, at all times Client's expense, to respond to any requests from a data subject and to assist Client in complying with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable his / her obligations under the Data Protection Legislation, in the field of security, notification of infringements, impact assessment and consultations with supervisory or regulatory authorities;
(f) notify Client as soon as possible of any violation of Personal Data that it becomes aware of;
(g) Upon Client's written directive, Supplier will delete or return Personal Data, as well as their copies, upon termination of the Agreement, unless a law in force requires them to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate compliance with clause 14.2.
14.3 Client shall:
(a) process Personal Data in accordance with the provisions of the Data Protection Legislation;
(b) ensure that the processing of the Personal Data of such individuals is in accordance with any applicable privacy policy; and
(c) provide Supplier with the assistance reasonably required by Supplier to comply with its obligations under this clause 14.
14.4 Client will not use the Services:
(a) to send commercial, or marketing e-mails or unwanted invitations;
(b) to request particular categories of Personal Data from the data subjects and / or disclose them to third parties;
(c) to request, collect, store and / or disclose credit or social security card numbers of Respondents or violate one or more Data Protection Legislation;
(d) to communicate any message or document deemed offensive, abusive, harassing, threatening, indecent, obscene, racially, ethnically or otherwise, hateful, deviant, defamatory, slanderous or otherwise unlawful;
(e) in a manner constituting a violation of any Intellectual Property Rights of a third party;
(f) in any way constituting a violation of any applicable laws, rules or regulations, including, but not limited to, any Data Protection Legislation; or
(g) in a manner constituting or encouraging conduct that is considered to be a crime or a civil offense by law and regulation in force.
14.5 Client consents to the transfer of Personal Data to the Group Company Toluna USA, Inc. ("Toluna USA") for hosting and backup purposes. Toluna USA acknowledges that the European Union has strict safeguards regarding the processing of Personal Data within the EU, including obligations to provide adequate protection for Personal Data transferred outside the EU. To provide adequate protection for certain Personal Data concerning individuals within the EU (including our business customers, suppliers, business partners, job applicants and employees in the United States). Toluna USA has chosen to certify its own membership of the EU-US Privacy Shield Framework administered by the US Department of Commerce ("Data Protection Shield"). Toluna USA is responsible for the processing of Personal Data it receives, in accordance with the Data Protection Shield, and then transfers it to a third party acting as agent for its own account. Toluna USA adheres to the principles of the Data Protection Shield: notification, choice, responsibility for the subsequent transfer, security, integrity and limitation to a specific purpose of the Personal Data, access, remedy, application and liability.
14.6 The Parties shall comply with Appendix 1 where Supplier shares Personal Data for Services titled ‘▇▇▇▇▇▇ Interactive Pop-Up Communities’, ‘Toluna Quick Communities’ or Services relating to Digital Tracking under clause 20.
Appears in 1 contract
Sources: Terms and Conditions
Data Protection. 22.1 With respect to the Parties' rights 23.1 The Authority recognises, understands, and obligations under this Framework Agreementagrees that Contractor is not subject to, the Parties agree that the Authority is the a nd therefore does not comply with United Kingdom Data Controller and that the Supplier is the Data ProcessorProtection Legislation.
22.2 23.2 The Supplier Contractor shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority or as reasonably necessary to perform the Services (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority to the Supplier Contractor during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law applicable law or any Regulatory Bodyregulation;
22.2.3 implement appropriate 23.2.3 Implement commercially reasonable technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 23.2.4 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates (except for ▇▇▇▇▇▇ North America Inc., to whom Personal Data may be transferred for, among other purposes, IT support functions) for the provision of the Services;, unless necessary to meet its obligations under this Contract and, where such Personal Data is transferred the Contractor shall:
22.2.6 ensure i. provide only the minimum Personal Data necessary; and
ii. Require the Sub Contractor to provide an adequate level of protection to any Personal Data that is transferred.
23.2.5 Ensure that all Supplier Contractors‟ Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)Condition;
22.2.7 23.2.6 ensure that none of Supplier’s Staff Contractor‟s personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityA uthority or as necessary to perform the Servic es;
22.2.8 23.2.7 notify the Authority reasonably promptly (and within five (5ten Working Days) Working Days if it receives:
(a) i. a request from a Data Subject to have access to that person's Personal Data; or
(b) a ii. A complaint or request relating to the Authority's Authority‟s obligations under the any Data Protection Legislation;
22.2.9 provide 23.2.8 Provide the Authority with full reasonable cooperation and assistance in relation to any complaint or request made, including by:
(a) i. providing the Authority with full details of the complaint or request;
(b) ii. complying with a data access request within a reasonable timeframe of the relevant timescales set out request, making commercially reasonable efforts to respond in time to allow the Data Protection Legislation and in accordance with the Authority's instructionsAuthority adequate time to respond to any such complaint or request;
(c) providing iii. Providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritya reasonable timeframe); and
(d) providing iv. Providing the Authority with any information reasonably requested by the Authority that relates to the Authority;
22.2.10 The Supplier shall:
(a) permit 23.2.9 provide the Authority or the Authority’s Authority‟s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect with appropriate assurances, evidences and audit, explanations of the Supplier's Contractor‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractorsand, to the extent Contractor has the right, any Sub -contractors, who process the Authority‟s Personal Data) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework AgreementContract;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Master Contract
Data Protection. 22.1 With respect 19.1. The terms "process" (and its derivatives), "data controller" and "personal data" shall have the meanings given to them in the Data Protection Legislation.
19.2. In order for us (or our Subcontractors) to provide the Services, you may need to supply certain information or data to us. Where such information or data constitutes personal data we shall only undertake processing of that personal data of which you are a data controller (referred to hereafter as the "Relevant Personal Data") for the purposes of, and to the Parties' rights and extent reasonably required, to enable us to perform our obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data ProcessorAgreement or a Service Order.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only 19.3. All personal data that we may use will be collected, processed, and held in accordance with instructions from the Authority provisions of the Data Protection Legislation and your rights thereunder
19.4. You acknowledge that, in respect of all End User personal data that you provide to us, you are the data controller and Gigabit is the data processor.
19.5. Gigabit shall bring into effect and maintain appropriate technical and organisational measures (a) to maintain security of the Relevant Personal Data; and (b) to prevent unauthorised or unlawful access to or processing of Relevant Personal Data and accidental loss or destruction of, or damage to, Relevant Personal Data, in accordance with our PrivacyPolicy.
19.6. We may not transfer any Relevant Personal Data to a country or territory outside the European Economic Area which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified is not deemed by the Authority applicable data protection regulator(s) to the Supplier during the Term);
22.2.2 Process the Personal Data only provide an adequate level of protection other than in compliance with your instructions, provided that those instructions shall be deemed to the extent, and include any transfers which are necessary in such manner, as it necessary for connection with the provision of the Services where subject to adequate safeguards including those prescribed by clause 19.5 above.
19.7. Where you are a Partner, if the data subject of any Relevant Personal Data who is an End User of yours makes a written request to Gigabit for access to Relevant Personal Data, Gigabit shall notify you and refer the data subject to you (as data controller) to respond to the request.
19.8. Where you are a Partner, we shall promptly notify you, if we become aware that any End User personal data provided to us by you has been the subject of a Data Breach and we shall consult with you (both Parties acting reasonably) regarding what measures and actions are necessary to mitigate or as is required by Law or any Regulatory Bodyremedy the effects of the Data Breach.
19.9. You agree that we may collect Relevant Personal Data from you via our Web Site and that we may hold all names and other information in the Service Order in a computerised database for the following purposes (including but not limited to):
a) submission to a credit reference agency;
22.2.3 implement appropriate technical b) to establish and organisational measures manage your account, including providing notifications to protect the you regarding your account;
c) to provide you with information or support which you request;
d) to inform you about new services; and
e) to bill and collect for services.
19.10. The information we request may include Relevant Personal Data against unauthorised such as your name, billing and shipping address, telephone number, e-mail address or unlawful Processing and against accidental losscredit card information. It is solely your choice whether or not you provide this Relevant Personal Data. However, destructionshould you choose not to provide such information, damagewe may be unable to process an order, alteration fulfil a service or disclosuredisplay certain content on our Web Site.
19.11. These measures It shall be appropriate your responsibility to the harm which might result from keep any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Relevant Personal Data up to date and having regard you warrant and undertake to the nature of the Personal Data which is to be protected;
22.2.4 take all us that you have used reasonable steps endeavours to ensure the reliability that all of any Supplier’s Staff who have access to the Personal Data;your personal data and contact details are accurate and complete.
22.2.5 obtain prior Approval from the Authority in order to transfer the 19.12. We do not sell or rent Relevant Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedparties.
22.2.11 The Supplier shall 19.13. We will comply at all times with the Data Protection Legislation and shall not perform its obligations in order to safeguard any Relevant Personal Data which you pass to us, in accordance with our Privacy Policy.
19.14. You acknowledge that we may, from time to time, be required under this Framework Agreement regulations and/or legislation to co-operate with and/or disclose provide Relevant Personal Data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information.
19.15. You agree that in such a way as order to cause improve the Authority service we provide to breach any of its applicable obligations under the Data Protection Legislationyou we may record and/or listen to calls received by our helpdesk.
Appears in 1 contract
Sources: Supply Agreement
Data Protection. 22.1 With 14.1 Both parties agree to comply with all applicable requirements of the Data Protection Act 2018 as amended or updated from time to time ( “DP Legislation”).
14.2 The parties acknowledge that for the purposes of the DP Legislation, it may be necessary for the Client to process certain personal data (as defined in the DP Legislation) on behalf of the Supplier, and the Client may act as a “controller” or a “processor” (as defined in the GDPR) in respect of such personal data. In these circumstances each party undertakes to fully comply with the Parties' rights applicable obligations imposed on it acting in such capacity under the DP Legislation.
14.3 Each party shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of personal data for the duration and purposes of this agreement.
14.4 In relation to any personal data processed in connection with its obligations under this Framework Agreement, Agreement the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier Client shall:
22.2.1 Process 14.4.1 process the Personal Data personal data only in accordance with instructions from on the Authority (which may be specific instructions or written instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during unless the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as Client is required by Law or any Regulatory Bodyapplicable law to process such data and notifies the Supplier to this effect;
22.2.3 implement 14.4.2 ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and processing, or against accidental lossloss or destruction of, destructionor damage to the personal data, damage, alteration or disclosure. These measures shall be appropriate to the harm which that might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data such occurrence and having regard to the nature of the Personal Data which is data to be protected;
22.2.4 take 14.4.3 ensure that all reasonable steps to ensure the reliability of any Supplier’s Staff personnel who have access to the Personal Dataand/or process personal data are obliged to keep it confidential;
22.2.5 obtain prior Approval from the Authority in order to 14.4.4 not transfer the Personal Data to any Sub-Contractors or Affiliates for the provision personal data outside of the ServicesEuropean Economic Area;
22.2.6 ensure that all 14.4.5 promptly assist the Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply in ensuring compliance with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's its obligations under the Data Protection LegislationLegislation with respect to security, impact assessments and consultations with supervisory authorities or regulators and including with any requests from data subjects;
22.2.9 provide 14.4.6 notify the Authority with full cooperation and assistance in relation Supplier without delay on becoming aware of a personal data breach relating to any complaint or this Agreement; Carbon60 Limited Date Version Page Services Agreement / SOW - UK December 2019 2.0 5 14.4.7 at the request made, including by:
(a) providing the Authority with full details of the complaint Supplier, delete or request;
(b) complying with a return all personal data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales on termination of this Agreement unless required by law to store the Authoritypersonal data; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection.
22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Courier Services Framework Agreement
Data Protection. 22.1 With 11.1 The General Practice and Niche Health agree that, with respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier General Practice is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth and Niche Health is a Data Protection Principle set out in Schedule 1 Processor acting on behalf of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedGeneral Practice.
22.2.11 11.2 The Supplier General Practice shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement notify Niche Health promptly in such a way as to cause the Authority to event of any breach any by the General Practice of its applicable obligations under the Data Protection Legislation.
11.3 The General Practice undertakes to provide all necessary notices to and obtain all necessary consents from Data Subjects to enable the use of the Personal Data of those Data Subjects in accordance with the Data Protection Legislation.
11.4 To the extent that Niche Health is a Data Processor acting on the General Practice’s behalf, it shall:
11.4.1 Process the Personal Data only in accordance with the General Practice’s written instructions;
11.4.2 implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to protect the Personal Data against a breach of security caused by unauthorised or unlawful processing and against accidental or unlawful destruction, loss, damage, alteration or unauthorised disclosure of or access to the Personal Data;
11.4.3 ensure that any employees or other persons authorised by Niche Health to process the Personal Data are subject to appropriate obligations of confidentiality;
11.4.4 not transfer the Personal Data outside of the European Economic Area without the prior written consent of the General Practice;
11.4.5 notify the General Practice, as soon as reasonably practicable, about any request or complaint received from a Data Subject (without responding to that request, unless authorised by the General Practice to do so) and assist the General Practice by technical and organisational measures, insofar as possible, for the fulfilment of its obligations in respect of such requests and complaints;
11.4.6 on request by the General Practice and taking into account the nature of the Processing and the information available to Niche Health, use reasonable endeavours to assist the General Practice in ensuring compliance with its obligations under Articles 32 to 36 of the General Data Protection Regulation (EU) 2016/679 (where applicable) in respect to the Personal Data;
11.4.7 subject to clause 11.5, not engage any third party to carry out Niche Health’s Processing obligations under this Licence without obtaining the General Practice’s prior written consent, and where such consent is given, procuring by way of a written contract that such third party will, at all times during the engagement, be subject to data processing obligations equivalent to those set out in this clause 11.4;
11.4.8 on request by the General Practice, make available the information necessary to demonstrate Niche Health's compliance with this clause 11.4 and on reasonable advance notice in writing otherwise permit, and contribute to, audits carried out by the General Practice (or its authorised representative) with respect to the Personal Data, provided that the General Practice shall (or shall ensure its authorised representatives shall):
(i) provide at least 30 working days’ advance notice of its intention to carry out an audit;
(ii) use reasonable endeavours to ensure that the conduct of any such audit does not unreasonably disrupt Niche Health's normal business operations; and
(iii) comply with Niche Health's IT and security policies whilst carrying out any such audit; and
11.4.9 on termination or expiry of this Licence, destroy or return to the General Practice all Personal Data and delete all existing copies of such data (except to the extent that Niche Health is required to keep or store such Personal Data by law).
11.5 The General Practice hereby consent to the use by Niche Health of the following category of sub-processor: IT service providers.
11.6 The General Practice acknowledge that clause 11.4 shall not apply to the extent that Niche Health is required by law to Process the Personal Data other than in accordance with the General Practice’s instructions and, in such case, Niche Health shall inform the General Practice of the relevant legal requirement prior to Processing (unless the law prohibits the provision of such information on important grounds of public interest).
11.7 The General Practice shall reimburse any reasonable costs incurred by Niche Health in the performance of its obligations under clauses 11.4.5, 11.4.6 and 11.4.8.
11.8 For the purposes of clause 11.4:
11.8.1 the type of Personal Data are:
(i) the details of a patient’s medical record, including surname, forename, NHS number, date of birth, address and the coded information, free text and attachments forming part of a patient’s medical record; and
(ii) names and contact details of Authorised Users;
11.8.2 the categories of Data Subjects are:
(i) the patients registered with and/or treated by the General Practice; and
(ii) the Authorised Users;
11.8.3 the nature/purpose of the Processing is to enable Niche Health to make available the Product and associated services (which form the subject matter of the Processing); and
11.8.4 the duration of the Processing shall be the term of this Licence.
Appears in 1 contract
Sources: End User Licence Agreement
Data Protection. 22.1 With respect 15.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
15.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 15.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 15.2.2 carry out the Processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 15.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 15.2.8.1 a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) 15.2.8.2 a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 15.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 15.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients;
(b) 15.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 15.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 15.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 15.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 15.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
15.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
15.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or
15.4.2 the rights of Data Subjects, including but not limited to subject access rights.
15.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients.
15.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 32, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 32 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
15.7 Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of Personal Data by the SERVICE PROVIDER is strictly prohibited.
15.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
15.9 If the SERVICE PROVIDER is responsible for storing any CUSTOMER data as part of the Ordered Services then:
14.9.1 it shall perform secure back-ups of all such data and shall ensure that up-to- date back-ups of such data are stored off-site in accordance with a business continuity and disaster recovery plan and ensure that such back-ups are available to the CUSTOMER at all times upon request;
14.9.2 it shall not delete or remove any proprietary notices contained within or relating to such data;
14.9.3 it shall not store, copy, disclose, or use the CUSTOMER’S data except as necessary for the performance of its obligations under this Contract;
14.9.4 it shall ensure that any system on which it holds any CUSTOMER data, including back-up data, is a secure system that complies with the CUSTOMER’s security policies; and
14.9.5 if at any time the SERVICE PROVIDER suspects or has reason to believe that such CUSTOMER data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then it shall notify the CUSTOMER immediately and inform the CUSTOMER of the remedial action it proposes to take.
Appears in 1 contract
Sources: Telecommunications
Data Protection. 22.1 With respect 15.1 The SERVICE PROVIDER‟s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
15.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 15.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 15.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 15.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 15.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 15.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 15.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)15;
22.2.7 15.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 15.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 15.2.8.1 a request from a Data Subject to have access to that person's person‟s Personal Data; or
(b) 15.2.8.2 a complaint or request relating to the Authority's CUSTOMER‟s obligations under the Data Protection LegislationRequirements;
22.2.9 15.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 15.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 15.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER‟s instructions;
(c) 15.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 15.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 15.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER‟s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients;
(b) 15.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 15.2.12 not cause or permit to be Processed and/or otherwise transferred undertake the Processing of Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 15.2.12.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 15.2.12.2 any reasonable instructions notified to it by the Authority or Contracting Body concernedCUSTOMER.
22.2.11 15.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
15.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
15.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER‟s obligations under this Contract in connection with the Processing of Personal Data; and/or
15.4.2 the rights of Data Subjects, including but not limited to subject access rights.
15.5 The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients.
15.6 With respect to the parties‟ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 29, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CUSTOMER, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 29 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER‟S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8.
15.7 Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of personal data by the SERVICE PROVIDER is strictly prohibited.
15.8 The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER‟s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 1 contract
Sources: Consultancy Services Agreement
Data Protection. 22.1 With 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, they are joint Controllers. Schedule 6 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Contractor may process to fulfil the Parties' purposes specifically set out in that Schedule 6. The Contractor shall seek relevant permission from the Data Subjects to process their Personal Data and ensure it is processed in accordance with the Data Protection Legislation and the Contractor’s privacy policy
17.2 The Parties agree that:
17.2.1 they shall provide Data Subjects with a point of contact for Data Subjects and are responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR;
17.2.2 they shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and obligations for any enquiries concerning their Personal Data or privacy;
17.2.3 they are responsible for compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR;
17.2.4 they are responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and
17.2.5 shall make available to Data Subjects the essence of this Framework Agreementjoint Controller arrangement and Schedule 6 (and notify them of any changes to it) concerning the allocation of responsibilities as joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the Authority is Contractor’s privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing).
17.3 Notwithstanding the terms of paragraph 17.2, the Parties acknowledge that a Data Subject has the right to exercise their legal rights under the Data Controller Protection Legislation as against the relevant Party as Data Controller. Undertakings of both Parties
17.4 The Contractor and the Department each undertake that the Supplier is the Data Processor.
22.2 The Supplier they shall:
22.2.1 Process 17.4.1 report to the other Party every 12 (twelve) months on:
(a) the volume of Data Subject Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(b) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(c) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(d) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(e) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; that it has received in relation to the subject matter of Schedule 6 during that period;
17.4.2 notify each other immediately if it receives any request, complaint or communication made as referred to in paragraphs 17.4.1(a) to (e); and
17.4.3 provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in paragraphs 17.4.1(c) to (e) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation.
17.4.4 not disclose or transfer the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it any third party unless necessary for the provision of the Services and, for any disclosure or as transfer of Personal Data to any third party, save where such disclosure or transfer is specifically authorised under this Contract (or is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures Law). For the avoidance of doubt to protect the which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Clause 17 and Schedule 6.
17.4.5 request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information.
17.4.6 ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to processing of the harm which might result from any unauthorised or unlawful Processing, Personal Data and/or accidental loss, destruction or damage to the Personal Data and having regard unauthorised or unlawful disclosure of or access to the nature of the Personal Data which is to be protected;Data.
22.2.4 17.4.7 take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff of its Personnel who have access to the Personal DataData and ensure that its Personnel:
(a) are aware of and comply with their duties under this Clause 17 and Schedule 6 (Processing, Personal Data and Data Subjects) and those in respect of Confidential Information;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (b) are informed of the confidential nature of the Personal Data Data, are subject to appropriate obligations of confidentiality and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing where that Party would not be permitted to do so so;
(c) have undergone adequate training in the use, care, protection and handling of personal data as required by the Authorityapplicable Data Protection Legislation;
22.2.8 notify the Authority within five (5) Working Days if 17.4.8 ensure that it receiveshas in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details nature of the complaint or requestdata to be protected;
(b) complying with harm that might result from a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsLoss Event;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritystate of technological development; and
(d) providing cost of implementing any measures.
17.4.9 ensure that it has the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
capability (a) permit the Authority whether technological or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakingsotherwise), to inspect and auditthe extent required by Data Protection Legislation, to provide or correct or delete at the Supplier's data Processing activities (and/or those request of its agents, subsidiaries and Sub-Contractors) and comply with a Data Subject all reasonable requests or directions by the Authority Personal Data relating to enable the Authority to verify and/or procure that Data Subject that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority)Contractor holds; and
(c) not cause or permit to be Processed and/or otherwise transferred outside 17.4.10 ensure that it notifies the European Economic Area any Personal Data supplied to other Party as soon as it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations becomes aware of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedLoss Event.
22.2.11 The Supplier 17.5 Each joint Controller shall use its reasonable endeavours to assist the other Controller to comply at all times with the any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Framework Agreement Annex in such a way as to cause the Authority other Joint Controller to breach any of its’ obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations Data Protection Breach
17.6 Without prejudice to clauses 17.4 and 17.5 each Party shall notify the other Party promptly and without undue delay, and in any event within 48 hours, upon becoming aware of any Personal Data Breach or circumstances that are likely to give rise to a Personal Data Breach, providing the other Party and its applicable advisors with:
17.6.1 sufficient information and in a timescale which allows the other Party to meet any obligations to report a Personal Data Breach under the Data Protection Legislation;
17.6.2 all reasonable assistance, including:
(a) co-operation with the other Party and the Information Commissioner investigating the Personal Data Breach and its cause, containing and recovering the compromised Personal Data and compliance with the applicable guidance;
(b) co-operation with the other Party including taking such reasonable steps as are directed by the Department to assist in the investigation, mitigation and remediation of a Personal Data Breach;
(c) co-ordination with the other Party regarding the management of public relations and public statements relating to the Personal Data Breach;
(d) providing the other Party and to the extent instructed by the other Party to do so, and/or the Information Commissioner investigating the Personal Data Breach, with complete information relating to the Personal Data Breach, including, without limitation, the information set out in Paragraph 17.4.
17.7 Each Party shall take all steps to restore, re-constitute and/or reconstruct any Personal Data where it has lost, damaged, destroyed, altered or corrupted as a result of a Personal Data Breach as if it was that Party’s own data at its own cost with all possible speed and shall provide the other Party with all reasonable assistance in respect of any such Personal Data Breach, including providing the other Party, as soon as possible and within 48 hours of the Personal Data Breach relating to the Personal Data Breach, in particular: 17.7.1 the nature of the Personal Data Breach;
Appears in 1 contract
Sources: Call Off Contract
Data Protection. 22.1 15.1 The Service Provider acknowledges the Authority's ownership of Intellectual Property Rights which may subsist in the Authority’s Data. The Service Provider shall not delete or remove any copyright notices contained within or relating to the Authority’s Data.
15.2 The Service Provider and the Authority shall each take reasonable precautions (having regard to the nature of their other respective obligations under this Agreement) to preserve the integrity of the Authority’s Data and to prevent any corruption or loss of the Authority’s Data.
15.3 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree acknowledge that the Authority is the a Data Controller and that the Supplier Service Provider is the a Data Processor.
22.2 15.4 The Supplier Service Provider shall:
22.2.1 15.4.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in to perform its obligations under this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreement;
22.2.2 Process the Personal Data only to the extent, and 15.4.2 ensure that at all times it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to processing of the harm which might result from any unauthorised or unlawful Processing, Personal Data and/or accidental loss, destruction or damage to the Personal Data and having regard to the nature of Data;
15.4.3 not disclose or transfer the Personal Data which to any third party or Service Provider Personnel unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is to be protectedspecifically authorised under this Agreement);
22.2.4 15.4.4 take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Service Provider Personnel who have access to the Personal DataData and ensure that the Service Provider Personnel:
15.4.4.1 are aware of and comply with the Service Provider's duties under this ▇▇▇▇▇▇ and Clause 17 (Confidentiality);
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data 15.4.4.2 are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAuthority or as otherwise permitted by this Agreement; and
15.4.4.3 have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA);
22.2.8 15.4.5 notify the Authority within five (5) Working Days if it receives:
(a) a request 15.4.5.1 from a Data Subject (or third party on their behalf): (A) a Data Subject Access Request (or purported Data Subject Access Request); (B) a request to have access to that person's rectify, block or erase any Personal Data; or
or (bC) a any other request, complaint or request communication relating to the Authority's obligations under the Data Protection LegislationDPA;
22.2.9 15.4.5.2 any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or
15.4.5.3 a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;
15.4.6 provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint complaint, communication or request mademade as referred to in Clause 15.4.5, including byby promptly providing:
(a) providing 15.4.6.1 the Authority with full details and copies of the complaint complaint, communication or request;
(b) complying 15.4.6.2 where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with a data access request the Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation and in accordance with DPA; and
15.4.6.3 the Authority's instructions;
(c) providing , on request by the Authority Authority, with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthoritySubject; and
(d) providing the Authority with any information 15.4.7 if requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the measures that it has taken and technical and organisational methods employed by security measures in place, for the Supplier for Processing purpose of compliance with its obligations pursuant to this Clause and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals.
15.5 The Service Provider shall not Process or otherwise transfer any Personal Data (within the timescales required by the Authority); and
(c) not cause in or permit to be Processed and/or otherwise transferred any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together "Restricted Countries"). If, after the Effective Date, the Service Provider or any Sub-contractor wishes to Process and/or transfer any Personal Data supplied in or to it by any Restricted Countries, the following provisions shall apply:
15.5.1 the Service Provider shall submit a Change Request to the Authority or any Other Contracting Body without the prior written consent of which, if the Authority or Contracting Body concerned andagrees to such Change Request, where shall be dealt with in accordance with the Authority or Other Contracting Body concerned consents Change Control Procedure and Clauses 15.3.2 to Processing and/or transfer outside 15.3.4
15.5.2 the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle Service Provider shall set out in Schedule 1 its Change Request and/or Impact Assessment details of the following:
15.5.2.1 the Personal Data Protection Act 1998 by providing which will be transferred to and/or Processed in any Restricted Countries;
15.5.2.2 the Restricted Countries which the Personal Data will be transferred to and/or Processed in; and
15.5.2.3 any Sub-contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries;
15.5.2.4 how the Service Provider will ensure an adequate level of protection to any and adequate safeguards in respect of the Personal Data that is transferredwill be Processed in and/or transferred to Restricted Countries so as to ensure the Authority's compliance with the DPA;
15.5.3 in providing and evaluating the Change Request and Impact Assessment, the Parties shall ensure that they have regard to and comply with then-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and
15.5.4 the Service Provider shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
15.5.4.1 incorporating standard and/or model clauses (ii) any reasonable instructions notified to it which are approved by the European Commission as offering adequate safeguards under the DPA) into this Agreement or a separate data processing agreement between the Parties; and
15.5.4.2 procuring that any Sub-contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into:
(A) a direct data processing agreement with the Authority or Contracting Body concernedon such terms as may be required by the Authority; or
(B) a data processing agreement with the Service Provider on terms which are equivalent to those agreed between the Authority and the Sub- contractor relating to the relevant Personal Data transfer, and in each case which the Service Provider acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data.
22.2.11 15.6 The Supplier Service Provider shall use its reasonable endeavours to assist the Authority to comply at all times with any obligations under the Data Protection Legislation DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable the Authority's obligations under the Data Protection LegislationDPA to the extent the Service Provider is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Service Agreement
Data Protection. 22.1 With respect 14.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CLIENT and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
14.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, undertakes the Parties agree that Processing of Personal Data on behalf of the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CLIENT, it shall:
22.2.1 Process 14.2.1 carry out the Processing of Personal Data only in accordance with instructions from the Authority CLIENT (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CLIENT to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 14.2.2 carry out the processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 14.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 14.2.5 obtain prior Approval written consent from the Authority CLIENT in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 14.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)14;
22.2.7 14.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCLIENT;
22.2.8 14.2.8 notify the Authority CLIENT (within five (5) Working Days Days) if it receives:
(a) 1.1.1.1 a request from a Data Subject to have access to that person's ’s Personal Data; or
(b) 1.1.1.2 a complaint or request relating to the Authority's CLIENT’s obligations under the Data Protection LegislationRequirements;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Legal Services Agreement
Data Protection. 22.1 With respect to [Include the Parties' rights blue parts of this clause and obligations Schedule 5 if the Supplier will be processing large amounts of personal data under this Framework Agreement].
10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Parties agree Data Protection Legislation.
10.2 The parties acknowledge that for the Authority purposes of the Data Protection Legislation, OxLEP is the Data Controller controller and that the Supplier is the Data Processorprocessor. [Schedule 5 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.]
22.2 The 10.3 Without prejudice to the generality of clause 10.1, the Supplier shall:
22.2.1 Process , in relation to any personal data processed in connection with the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified performance by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the its obligations set out in under this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesAgreement:
(a) a request from a Data Subject process that personal data only on the documented written instructions of OxLEP unless the Supplier is required by Applicable Law to have access to otherwise process that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or requestpersonal data;
(b) complying with a ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsagainst accidental loss or destruction of, or damage to, personal data;
(c) providing ensure that all personnel who have access to and/or process personal data are obliged to keep the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritypersonal data confidential; and
(d) providing the Authority with not transfer any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's personal data Processing activities (and/or those outside of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of OxLEP has been obtained and the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Supplier has provided appropriate safeguards in relation to the transfer; and
(ii) the Supplier complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data personal data that is transferred; and.
(iie) assist OxLEP, at OxLEP's cost, in responding to any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times request from a data subject and in ensuring compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation;
(f) notify OxLEP without undue delay on becoming aware of a personal data breach;
(g) if and when required by OxLEP, delete or return personal data and copies thereof to OxLEP unless required by Applicable Law to store the personal data;
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause 10 and allow for audits by OxLEP or OxLEP's designated auditor; and
(i) [indemnify OxLEP against any loss or damage suffered by OxLEP in relation to any breach by the Supplier of its obligations under this clause 10].
10.4 OxLEP consents to the Supplier appointing the third party processors listed in Schedule 5. The Supplier confirms that it has entered or (as the case may be) will enter with the third party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause 10 and which reflect the requirements of the Data Protection Legislation. As between OxLEP and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this. As between OxLEP and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 10.
10.5 If and when required by OxLEP any Personal Data held under or in connection with the Agreement must be securely destroyed and/or permanently deleted.
Appears in 1 contract
Sources: Services Agreement
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority Commissioner is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the any Personal Data (as defined in the Data Protection Act 1998 as the same may be amended, replaced or re-enacted from time to time, any applicable statutory or regulatory provisions and all European Directives and regulations in force from time to time relating to the protection and transfer of personal data and any successor legislation without limitation including the General Data Protection Regulation (EU) 2016/679 with effect from 25 May 2018, together known as the “Data Protection Laws”) only in accordance with instructions from the Authority Commissioner (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Commissioner to the Supplier during Supplier) and in line with the Term)Data Protection Laws;
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision delivery of the Services Supplier’s services or as is required by Law law or any Regulatory Bodyregulatory body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 and ensure that all Supplier Staff staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)clause 23;
22.2.7 23.2.5 ensure that none of Supplier’s Staff no staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCommissioner;
22.2.8 23.2.6 notify the Authority Commissioner (within five (5) Working Days Days) if it receives:
(a) 23.2.6.1 a request from a Data Subject to have access to that person's Personal Data; or
(b) 23.2.6.2 a complaint or request relating to the Authority's Commissioner’s obligations under the Data Protection LegislationLaws;
22.2.9 23.2.7 provide the Authority Commissioner with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 23.2.7.1 providing the Authority Commissioner with full details of the complaint or request;
(b) 23.2.7.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Laws and in accordance with the Authority's Commissioner’s instructions;
(c) 23.2.7.3 providing the Authority Commissioner with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the AuthorityCommissioner); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Supply Agreement
Data Protection. 22.1 With respect The Parties agree that in relation to:
22.1.1 Personal Data processed by the Provider in providing Services under this Agreement (for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and
22.1.2 Personal Data, the processing of which is required by the Commissioner for the purposes of quality assurance, performance management and contract management the Commissioner and the Provider will be independent Data Controllers; together the “Agreed Purpose”.
22.2 Where the Commissioner requires information under clause 9.1.2 above, the Personal Data requirements shall be as set out in Schedule 2, including the type of Personal Data and duration of processing. Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the Parties' rights and course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
22.3 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, gives grounds to the Data Processorother Party to terminate this Agreement with immediate effect.
22.2 The Supplier 22.4 In relation to the Processing of any Personal Data, each Party shall:
22.2.1 Process 22.4.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
22.4.2 give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing;
22.4.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 22.4.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
22.4.5 ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory BodyPersonal Data;
22.2.3 implement 22.4.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
22.4.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
22.4.8 not transfer any Personal Data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer; and
22.4.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office.
22.2.9 provide 22.5 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Data Protection. 22.1 With respect 6.1 The Parties agree that in relation to:
6.1.1 Personal Data processed by the Contractor in providing Services under this Agreement (for example, patient details, medical history and treatment details), the Contractor shall be the sole Data Controller; and
6.1.2 Personal Data, the processing of which is required by CGL or the Head Commissioner for the purposes of quality assurance, performance management and contract management CGL, the Head Commissioner and the Contractor will be independent Data Controllers; together the “Agreed Purpose”.
6.2 Where CGL or the Head Commissioner requires information under clause 6.1.2 above, the Contractor shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the Parties' rights requirements of CGL or the Head Commissioner, the Contractor shall provide such information in pseudonymised form where possible.
6.3 Schedule 2 sets out the categories of Data Subjects, types of Personal Data, Processing operations (including scope, nature and purpose of Processing) and the duration of Processing.
6.4 Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Framework Agreement, the Parties agree that the Authority is .
6.5 Any material breach of the Data Controller and that Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the Supplier is other Party, gives grounds to the Data Processorother Party to terminate this Agreement with immediate effect.
22.2 The Supplier 6.6 In relation to the Processing of any Personal Data, each Party shall:
22.2.1 Process 6.6.1 ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose;
6.6.2 give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing;
6.6.3 process the Personal Data only in accordance with instructions from for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Agreed Purpose;
22.2.2 Process 6.6.4 not disclose or allow access to the Personal Data only to anyone other than the Permitted Recipients;
6.6.5 ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the extent, care and in such manner, as it necessary for the provision handling of the Services or as is required by Law or any Regulatory BodyPersonal Data;
22.2.3 implement 6.6.6 ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;
6.6.7 ensure that it has in place appropriate technical and organisational measures measures, to protect the Personal Data against unauthorised or unlawful Processing of Personal Data and against accidental lossloss or destruction of, destructionor damage to, damage, alteration Personal Data in accordance with Article 32 GDPR;
6.6.8 not transfer any Personal Data outside the European Economic Area unless the transferor ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or disclosure. These measures shall be appropriate (iii) one of the derogations for specific situations in Article 49 GDPR applies to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to transfer; and
6.6.9 assist the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority other Party (at its own cost) in order to transfer the Personal Data responding to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Legislation;Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office.
22.2.9 provide 6.7 Each Party shall notify the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details other Party without undue delay on becoming aware of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations Breach under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Service Level Agreement
Data Protection. 22.1 With respect 27.1 In this clause 27, the terms, “processing”, “data controller” and “data processor”, “data protection officer” “data subject” “personal data” “personal data breach” shall have the same meanings given to them under UK GDPR or the EU GDPR as the context requires.
27.2 The Supplier acknowledges the only Processing that it is authorised to do is listed in Schedule 7 (Processing Personal Data) by UKRI.
27.3 The Supplier shall notify UKRI immediately if it considers that any of UKRI’s instructions infringe the Data Protection Legislation.
27.4 The Supplier shall provide all reasonable assistance to UKRI in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of UKRI, include:
27.4.1 a systematic description of the envisaged Processing and the purpose of the Processing;
27.4.2 an assessment of the necessity and proportionality of the Processing in relation to the Parties' Goods and/or Services;
27.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
27.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
27.5 The Supplier shall, in relation to any Personal Data Processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallContract:
22.2.1 27.5.1 Process the that Personal Data only in accordance with instructions from the Authority Schedule 7 (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to Processing Personal Data), unless the Supplier during is required to do otherwise by Law. If it is so required the Term);
22.2.2 Process Supplier shall notify UKRI before Processing the Personal Data only unless prohibited by Law;
27.5.2 ensure that it has in place Protective Measures, (if the Supplier is holding UKRI Data, including back-up data, that it is held by a secure system that complies with the Security Policy and any applicable Security Management Plan) which UKRI may reasonably reject (but failure to the extent, and in such manner, as it necessary for the provision reject shall not amount to approval by UKRI of the Services or as is required by Law or any Regulatory Body;adequacy of the Protective Measures) having taken account of the:
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the a) nature of the Personal Data which is data to be protected;
22.2.4 take b) harm that might result from a Personal Data Breach;
c) state of technological development; and
d) cost of implementing any measures;
27.5.3 ensure that:
a) the Supplier Staff do not Process Personal Data except in accordance with the Contract (and in particular Schedule 7 (Processing Personal Data));
b) it uses all reasonable steps endeavours to ensure the reliability and integrity of any Supplier’s Supplier Staff who have access to the Personal DataData and ensure that they:
(i) are aware of and comply with the Supplier’s duties under this Clauses 28 and 25;
22.2.5 obtain prior Approval from (ii) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Supplier or any Subsub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (iii) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by UKRI or as otherwise permitted by this Contract; and
(iv) have undergone adequate training in the Authorityuse, care, protection and handling of Personal Data;
22.2.8 notify 27.5.4 not transfer Personal Data outside of the Authority within five (5) Working Days if it receivesUK unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
(a) a request from a Data Subject to have access to that person's Personal Datathe transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(b) a complaint UKRI or request relating the Supplier has provided appropriate safeguards in relation to the Authority's transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by UKRI which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures determined by UKRI;
c) the Data Subject (as defined by the Data Protection Act 2018) has enforceable rights and effective legal remedies;
d) the Supplier complies with its obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist UKRI in meeting its obligations); and
(iie) the Supplier complies with any reasonable instructions notified to it in advance by UKRI with respect to the Processing of the Personal Data;
27.5.5 where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Authority non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or Contracting Body concerned.such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party;
22.2.11 The Supplier shall comply at all times c) the Data Subject has enforceable rights and effective legal remedies;
d) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
e) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
27.5.6 at the written direction of UKRI, delete or return Personal Data (and any copies of it) to UKRI on termination of this Contract unless the Supplier is required by Law to retain the Personal Data.
27.6 Subject to Clause 28.7, the Supplier shall not perform its obligations notify UKRI immediately if in relation to it Processing Personal Data under or in connection with this Framework Agreement in such Contract it:
27.6.1 receives a way as Data Subject Access Request (or purported Data Subject Access Request);
27.6.2 receives a request to cause the Authority rectify, block or erase any Personal Data;
27.6.3 receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
27.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under the Contract;
27.6.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
27.6.6 becomes aware of a Personal Data Breach.
27.7 The Supplier’s obligation to notify under Clause 28.6 shall include the provision of further information to UKRI, as details become available.
27.8 Taking into account the nature of the Processing, the Supplier shall provide UKRI with assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 28.6 (and insofar as possible within the timescales reasonably required by UKRI) including by immediately providing:
27.8.1 UKRI with full details and copies of the complaint, communication or request;
27.8.2 such assistance as is reasonably requested by UKRI to enable it to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
27.8.3 UKRI, at its request, with any Personal Data it holds in relation to a Data Subject;
27.8.4 assistance as requested by UKRI following any Personal Data Breach; and/or
27.8.5 assistance as requested by UKRI with respect to any request from the Information Commissioner’s Office or any other regulatory authority, or any consultation by UKRI with the Information Commissioner's Office or any other regulatory authority.
27.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with Clause 28. This requirement does not apply where the Supplier employs fewer than 250 staff, unless:
27.9.1 UKRI determines that the Processing is not occasional;
27.9.2 UKRI determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
27.9.3 UKRI determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
27.10 The Supplier shall allow for audits of its Data Processing activity by UKRI or UKRI’s designated auditor.
27.11 The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
27.12 Before allowing any sub-processor to process any Personal Data related to the Contract, the Supplier must:
27.12.1 notify UKRI in writing of the intended sub-processor and processing;
27.12.2 obtain the written consent of UKRI;
27.12.3 enter into a written agreement with the sub-processor which give effect to the terms set out in this Clause 28 such that they apply to the sub-processor; and
27.12.4 provide UKRI with such information regarding the sub-processor as UKRI may reasonably require.
27.13 To the extent that UKRI provides its consent pursuant to clause 28.12, the Supplier shall flow down the contractual obligations contained in this clause 28 to sub- processors. For the avoidance of doubt, the Supplier shall remain fully liable for all acts or omissions of any of its sub-processor.
27.14 UKRI may, at any time on not less than 30 Working Days’ notice, revise this Clause 28 by replacing it with any applicable controller to Supplier standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
27.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. UKRI may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
27.2 Notwithstanding any other remedies available to UKRI, fully indemnify UKRI as a result of any such breach of the GDPR, by the Supplier or any other party used by the Supplier in its performance of the Contract that results in UKRI suffering fines, loss or damages.
Appears in 1 contract
Sources: Contract for the Supply of X Ray Diffraction System (Xrd)
Data Protection. 22.1
16.9.1 With respect to the Parties' ’ rights and obligations under this Framework AgreementContract, the Parties agree that the Authority Customer is the Data Controller and that the Supplier is the Data Processor.
22.2 16.9.2 The Supplier shall:
22.2.1 (a) Process the Personal Data only in accordance with instructions from the Authority Customer (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority Customer to the Supplier during the Term);
22.2.2 (b) Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Supply or as is required by Applicable Law or any Regulatory Body;
22.2.3 (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 (d) take all reasonable steps to ensure the reliability of any Supplier’s of the Supplier Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to (e) not transfer the Personal Data to any Subsub-Contractors contractors or Affiliates for without first obtaining prior written consent from the provision of the Services;Customer;
22.2.6 (f) ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)16.9;
22.2.7 (g) ensure that none of Supplier’s the Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCustomer;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(aA) a request from a Data Subject to have access to that person's ’s Personal DataData (a “Data Access Request”); or
(bB) a complaint or request relating to the Authority's Customer’s obligations under the Data Protection LegislationRequirements;
22.2.9 (i) provide the Authority Customer with full cooperation and assistance in relation to any complaint or request made, including by:
(aA) providing the Authority Customer with full details of the complaint or request;
(bB) complying with a data access request Data Access Request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's Customer’s instructions;
(cC) providing the Authority Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityCustomer); and
(dD) providing the Authority Customer with any information requested by the AuthorityCustomer;
22.2.10 The Supplier shall:
(aj) permit the Authority or the Authority’s Representative Customer (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's ’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractorssub- contractors) and comply with all reasonable requests or directions by the Authority Customer to enable the Authority Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework AgreementContract;
(bk) provide a written description of the technical and organisational methods employed by the Supplier for Processing processing Personal Data (within the timescales required by the AuthorityCustomer); and
(cl) not cause or permit to be Processed and/or otherwise transferred Process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned Customer and, where the Authority or Other Contracting Body concerned Customer consents to Processing and/or a transfer outside of the European Economic AreaPersonal Data in accordance with Clause (e), to comply with:
(iA) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(iiB) any reasonable instructions notified to it by the Authority or Contracting Body concernedCustomer.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Ancillary Services Contract
Data Protection. 22.1 With respect 17.1 The Contractor‟s attention is hereby drawn to the Parties' rights Data Protection requirements. LSIS and the Contractor shall observe their obligations under the Data Protection requirements.
17.2 Where the Contractor, pursuant to its obligations under this Framework AgreementContract, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier processes personal data on behalf of LSIS, it shall:
22.2.1 Process 17.2.1 process the Personal Data personal data only in accordance with instructions from the Authority LSIS (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority LSIS to the Supplier Contractor during the Termcontract);
22.2.2 Process 17.2.2 process the Personal Data personal data only to the extent, and in such manner, as it is necessary for the provision of the Services Service(s) or as is required by Law or any Regulatory Body;regulatory body
22.2.3 17.2.3 implement appropriate technical and organisational measures to protect the Personal Data personal data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data personal data and having regard to the nature of the Personal Data personal data which is to be protected;
22.2.4 17.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Contractor personnel who have access to the Personal Data;personal data
22.2.5 17.2.5 obtain prior Approval written consent from the Authority LSIS in order to transfer the Personal Data personal data to any Subsub-Contractors or Affiliates for the provision of the Services;Service(s)
22.2.6 17.2.6 ensure that all Supplier Staff any Contractor personnel required to access the Personal Data personal data are informed of the confidential nature of the Personal Data personal data and comply with the obligations set out in this Clause 22 (Data Protection);Condition
22.2.7 17.2.7 ensure that none of Supplier’s Staff the Contractor personnel publish, disclose or divulge any of the Personal Data personal data to any third party unless directed in writing to do so by the Authority;LSIS
22.2.8 17.2.8 notify the Authority LSIS (within five (55 working days) Working Days if it receives:
(a) 17.2.8.1 a request from a Data Subject data subject to have access to that person's Personal Data; orperson‟s personal data
(b) 17.2.8.2 a complaint or request relating to the Authority's LSIS‟s obligations under the Data Protection Legislation;requirements
22.2.9 17.2.9 provide the Authority LSIS with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 17.2.9.1 providing the Authority LSIS with full details of the complaint or request;
(b) 17.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation requirements and in accordance with the Authority's instructions;LSIS‟s instruction
(c) 17.2.9.3 providing the Authority LSIS with any Personal Data personal data it holds in relation to a Data Subject data subject (within the timescales required by the Authority; andLSIS)
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 17.2.10 permit the Authority LSIS or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's Contractor‟s data Processing processing activities (and/or those of its agents, subsidiaries and Subsub-Contractors) and comply with all reasonable requests or directions by the Authority LSIS to enable the Authority it to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.Contract
Appears in 1 contract
Data Protection. 22.1 With respect 16.1 The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The CUSTOMER and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
16.2 Where the SERVICE PROVIDER, pursuant to its obligations under this Framework AgreementContract, processes Personal Data on behalf of the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier CUSTOMER, it shall:
22.2.1 Process 16.2.1 process the Personal Data only in accordance with instructions from the Authority CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement Contract or as otherwise notified by the Authority CUSTOMER to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 16.2.2 process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body;
22.2.3 16.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 16.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 16.2.5 obtain prior Approval written consent from the Authority CUSTOMER in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Ordered Services;
22.2.6 16.2.6 ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)16;
22.2.7 16.2.7 ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityCUSTOMER;
22.2.8 16.2.8 notify the Authority CUSTOMER (within five (5) Working Days Days) if it receives:
(a) 16.2.8.1 a request from a Data Subject data subject to have access to that person's ’s Personal Data; or
(b) 16.2.8.2 a complaint or request relating to the Authority's CUSTOMER’s obligations under the Data Protection LegislationRequirements;
22.2.9 16.2.9 provide the Authority CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 16.2.9.1 providing the Authority CUSTOMER with full details of the complaint or request;
(b) 16.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's CUSTOMER’s instructions;
(c) 16.2.9.3 providing the Authority CUSTOMER with any Personal Data it holds in relation to a Data Subject data subject (within the timescales required by the AuthorityCUSTOMER); and
(d) 16.2.9.4 providing the Authority CUSTOMER with any information requested by the AuthorityCUSTOMER;
22.2.10 The Supplier shall:
(a) 16.2.10 permit the Authority CUSTOMER or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the Supplier's SERVICE PROVIDER’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority CUSTOMER to enable the Authority CUSTOMER to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework AgreementContract;
(b) 16.2.11 provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing processing Personal Data (within the timescales required by the AuthorityCUSTOMER); and
(c) 16.2.12 not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned CUSTOMER and, where the Authority or Other Contracting Body concerned CUSTOMER consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 16.2.12.1 the obligations of a Data Controller data controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 16.3 The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Authority CUSTOMER to breach any of its applicable obligations under the Data Protection LegislationRequirements.
16.4 The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to:
16.4.1 compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the processing of Personal Data; and/or
16.5 The SERVICE PROVIDER will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract.
16.6 With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the data controller and the SERVICE PROVIDER is the data processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 29, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the processing of Personal Data on behalf of theCustomer, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 29 relating to the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Sub-Contractor to process Personal Data provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Framework Agreement, including the terms set out in Clause 16.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect The Parties undertake to the Parties' rights and comply with all their respective obligations under this Framework the DPA and warrant that they have in place and shall maintain throughout the continuance of the Agreement, all necessary notifications with the Parties agree that Information Commissioner’s Office as required under the Authority is the Data Controller and that the Supplier is the Data ProcessorDPA.
22.2 The Supplier Broker warrants that to the extent that it transfers Personal Data to Close pursuant to this Agreement, appropriate consent has been obtained from each Data Subject whose Personal Data is transferred
22.3 The Broker shall and upon request from Close, provide a copy of all Customers’ Personal Data held by them in such format and/or media as Close may reasonably specify.
22.4 If and to the extent that Close passes Personal Data to the Broker for processing, the Broker shall:
22.2.1 Process (a) process the Personal Data only for the purpose and in the manner specified by Close, in accordance with Close’s instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority time to the Supplier during the Term);
22.2.2 Process the Personal Data only time and subject to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental from inadvertent loss, destruction, damage, alteration or destruction and/or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to ;
(b) treat the Personal Data as confidential and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer not disclose the Personal Data to any Sub-Contractors or Affiliates for the provision of the Servicesthird party without Close’s prior written consent;
22.2.6 ensure that all Supplier Staff required to access (c) not transfer the Personal Data outside of the European Economic Area without Close’s prior written consent;
(d) comply with any request from Close requiring the Broker to amend, transfer or delete any Personal Data which was provided by Close;
(e) notify Close immediately if it, receives a complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or either Party’s compliance with the DPA and provide Close with full co-operation and assistance in relation to any such complaint, notice or communication;
(f) promptly inform Close if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable;
(g) ensure that access to the Personal Data is limited to such Personnel who require access to it for the purposes of enabling the Broker to perform its obligations under this Agreement and provided that such Personnel are informed aware of the confidential nature of the Personal Data and comply with agree to be bound by confidentiality obligations at least equivalent to those imposed on the obligations set out in this Clause 22 Broker hereunder; and
(Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 h) notify the Authority Close within five (5) Working 3 Business Days if it receives:
(a) receives a request from a Data Subject to have for access to that person's ’s Personal Data; or.
(b) a complaint or request relating 22.5 For the avoidance of doubt, Close shall not be required to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with transfer any Personal Data belonging to Customers to the Broker unless it holds has obtained consent from the Customer to do so.
22.6 The Broker agrees to indemnify and keep indemnified and hold Close harmless from and against any and all loss, liability, costs (including professional fees), claims, damages or demands which Close may suffer or for which it may become liable as a result of or in relation to a Data Subject (within the timescales required connection with any breach by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description Broker of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent terms of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedthis clause 22.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Terms of Trade
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Authority Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Authority Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Authority Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Authority Personal Data and having regard to the nature of the Authority Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Authority Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Authority Personal Data to any Sub-Contractors or Affiliates Affiliated Company for the provision of the Goods and Services;
22.2.6 ensure that all Supplier Supplier’s Staff required to access the Authority Personal Data are informed of the confidential nature of the Authority Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)22;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Authority Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Authority Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Authority Personal Data and Persona Data supplied to it by the Authority or any Other other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect to 24.1 The Executive confirms that he/she has read and understood the Parties' rights and obligations under this Framework AgreementCompany's data protection policy, a copy of which is available on the Parties agree that the Authority is the Data Controller and that the Supplier is the Data ProcessorCompany Intranet. The Company may change its data protection policy in any way at any time.
22.2 24.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority Company will process and may disclose personal data including sensitive personal data (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data terms are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out defined in the Data Protection Legislation Act 1998) relating to the Executive, and the Executive consents to the processing and disclosure of such data and also to the use by the Company or any other Group Company of his/her image or photograph for any purpose (including marketing). The Executive's personal data will be held by the Company in its manual and automated filing systems.
24.3 The parties confirm that personal data including sensitive personal data can include but is not limited to:
24.3.1 information about the Executive's physical or mental health or condition for the purpose of the performance of the Appointment and this agreement (including the provision of any benefits under it), monitoring sickness absence, dealing with sick pay and determining the Executive's fitness to carry out duties on behalf of the Group;
24.3.2 information about the Executive's sex, marital status, race, ethnic origin or disability for the purpose of monitoring to ensure equality of opportunity and compliance with equal opportunities legislation;
24.3.3 information relating to any criminal proceedings in which the Executive has been involved for insurance purposes and in accordance with the Authority's instructions;
(c) providing the Authority order to comply with any Personal Data it holds in relation Applicable Laws and/or obligations to third parties; and/or
24.3.4 information obtained as a Data Subject result of a Criminal Records Bureau or credit check or any similar statutory check that may be required under any Applicable Laws (within and the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject Executive hereby consents to the reasonable Company carrying out any such checks in respect of him/her at any time).
24.4 The Company will process and appropriate confidentiality undertakings)may disclose any such data referred to above both inside and, to inspect and auditwhere necessary, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area (including to the United States) for the following purposes:
24.4.1 in order for the Appointment and this agreement to be performed;
24.4.2 in order to comply with any Personal Data supplied Applicable Laws and/or any legal or regulatory obligations which apply to it by the Authority Company or any Other Contracting Body without other Group Company (including contractual obligations);
24.4.3 for decisions to be made regarding the prior written consent Executive's employment or continued employment, or any of the Authority terms thereof;
24.4.4 for obtaining or Contracting Body concerned and, where carrying out work from or for Clients or Potential Clients;
24.4.5 for the Authority purpose of any potential sale of over 50 percent of the shares of the Company or Other Contracting Body concerned consents to Processing and/or any Group Company or other change of control or any potential transfer outside of the European Economic Area, Executive's employment under the Transfer of Undertaking (Protection of Employment) Regulations 2006; or
24.4.6 in order to comply with:
(i) with a request for disclosure made by any statutory or regulatory authority, court of law or law enforcement agency. Disclosure may include, in the obligations case of sale, change of control or transfer, disclosure to the potential purchaser or investor and their advisors, in the case of a Data Controller under service provision change, disclosure to a new service provider, and in the Eighth Data Protection Principle set case of obtaining or carrying out work, disclosure to Clients or Potential Clients.
24.5 The Executive shall use all reasonable endeavours to keep the Company informed of any changes to his/her personal data.
24.6 The Executive acknowledges that in Schedule 1 the course of the Data Protection Act 1998 by providing an adequate level of Appointment he/she may have access to personal and sensitive data relating to other employees and he/she agrees to keep such information confidential and otherwise to comply with the Company's data protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply policy at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislationtimes.
Appears in 1 contract
Data Protection. 22.1 With respect 14.1 The Company and the Supplier agree that, to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and extent that the Supplier is required to process any personal data as part of the Services, it shall do so on behalf of the Company as a data processor.
14.2 The Supplier warrants that it will process such personal data in accordance with the Data Processor.
22.2 The Protection ▇▇▇ ▇▇▇▇, the Privacy and Electronic Communications Regulation 2003 and any other relevant data protection legislation and, in particular, the Supplier shall:
22.2.1 Process 14.2.1 only carry out processing of such personal data for the Personal Data only purpose of performing the Services in accordance with instructions from this Agreement and in accordance with the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Company’s written instructions;
22.2.2 Process the Personal Data only to the extent, 14.2.2 implement and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement maintain appropriate technical and organisational security measures to protect the Personal Data such personal data against unauthorised or unlawful Processing processing and against accidental loss, damage, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.2.3 allow the Company to audit the Suppliers compliance with the requirements of this Condition 14 on reasonable notice and/or provide the Company with evidence of compliance with all the obligations set out in this Condition 14;
14.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff the personnel who have access to the Personal Datapersonal data;
22.2.5 obtain prior Approval 14.2.5 promptly provide such information to the Company as the Company may reasonably require to allow it to comply with the rights of data subjects, including subject access rights;
14.2.6 appoint, and identify to the Company, an individual within its organisation authorised to respond to enquiries from the Authority Company concerning the Supplier’s processing of personal data.
14.3 For the purposes of this Condition 14, “data processor”, “data subject”, “personal data” and “process” shall have the meanings ascribed to them in order to transfer the Personal Data to Protection ▇▇▇ ▇▇▇▇.
14.4 The Supplier warrants that any Subservants, agents or sub-Contractors or Affiliates for contractors used in the provision of the Services;
22.2.6 ensure Services shall be obliged to abide by this Condition 14 and that all Supplier Staff required to access it will remain the Personal Data are informed responsibility of the confidential nature Supplier to ensure compliance with this Condition and the Data Protection ▇▇▇ ▇▇▇▇.
14.5 The Supplier shall, within 48 hours, notify the Company of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none any breach or suspected breach of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint obligations concerning personal or request relating sensitive data or confidential information to the Authority's obligations under extent that the Data Protection Legislation;
22.2.9 Supplier becomes aware of such breach and shall provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests assistance that may be required in order to resolve or directions by act upon such breach.
14.6 To the Authority to enable the Authority to verify and/or procure extent that the Supplier is in full providing any Services which involves the processing, transmission or storing of any credit or debit card payments and/or cardholder information on behalf of the Company, it is agreed that:
14.6.1 the Supplier shall be fully responsible for the security of cardholder data that it possesses, including all functions relating to storing, processing and transmitting of the cardholder data;
14.6.2 the Supplier affirms that it has complied with all applicable requirements to be considered PCIDSS compliant and has performed the necessary steps to validate its compliance with its obligations under this Framework Agreementthe PCI DSS;
(b) provide a written description 14.6.3 the Supplier agrees to supply the current status of the technical Supplier’s PCI DSS compliance status and organisational methods employed by evidence of its most recent validation of compliance upon execution of these terms and conditions to the Company. The Supplier for Processing Personal Data (within must supply to the timescales required by the Authority)Company a new status report and evidence of validation of compliance at least annually; and
(c) not cause or permit 14.6.4 the Supplier will immediately notify the Company if it learns that it is no longer PCI DSS compliant and will immediately provide the Company with details f the steps being taken to remediate the non-compliance status. In no event should the Supplier’s notification to the Company be Processed and/or otherwise transferred outside later than five working days after the European Economic Area any Personal Data supplied to Supplier learns it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedno longer PCI DSS compliant.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Terms & Conditions of Purchase of Goods or Services
Data Protection. 22.1 19.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that for the Authority is purposes of the Data Controller Protection Legislation both the Local Authority and that the Supplier is provider are acting as independent data controllers for the purposes of this agreement and are individually responsible for ensuring they comply with all relevant duties and obligations.
19.2 The provider, where required by legislation, shall be registered under the Data ProcessorProtection Act 2018 (“the 2018 Act”) and shall comply with its obligations under the 2018 Act and the Computer Misuse Act insofar as performance of this Agreement gives rise to the obligations under those Acts.
22.2 The Supplier shall:19.3 Parties will ensure that they do nothing knowingly or negligently which places the other Parties in breach of that Party’s obligations under the 2018 Act.
22.2.1 Process 19.4 Notwithstanding the Personal Data only general obligation in accordance with instructions from Clause 12, where the Service Provider is processing personal data (as defined by the 2018 Act) as a data processor for the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified defined by the Authority to 2018 Act) the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and Service Provider shall ensure that it has in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect ensure the Personal Data security of the personal data (and to guard against unauthorised or unlawful Processing processing of the personal data and against accidental lossloss or destruction of, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to to, the Personal Data and having regard to the nature personal data), as required under Article 5 of the Personal Data which GDPR and:
19.4.1 Provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the 2018 Act;
19.4.2 Promptly notify the Authority of any breach of the security measures required to be protected;put in place pursuant to Clause 19.4; and
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from 19.4.3 Ensure that it does nothing knowingly or negligently which places the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision breach of the Services;Authority’s obligations under the 2018 Act.
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data 21.1 Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's Service Provider’s obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and auditAct 2018, the Supplier's data Processing activities (and/or those of its agents, subsidiaries Service Provider will provide such assistance and Sub-Contractors) and comply with all reasonable requests or directions support which may reasonably be requested from time to time by the Authority to enable for the purposes of enabling or assisting the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
21.1.1 the Freedom of Information Act 2000 and associated Regulations and Statutory Instructions (“FOIA”); and
21.1.2 any code of practice, guidance, practice recommendation, decision, notice, information notice and enforcement notice which may be issued from time to time by the Department of Constitutional Affairs or the Office of the Information Commissioner.
21.2 Without prejudice to Clause 20, and in the event of:
21.2.1 a request made on the Authority for access to information under the FOIA; or
21.2.2 any notice, recommendation or compliant made to the Authority in relation to the FOIA,
21.2.3 the Service Provider will provide to the Authority:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 relation to an access request, any details in respect of the Data Protection Act 1998 by providing an adequate level information as the Authority may request and a copy of protection to any Personal Data that is transferredthe relevant information where the Authority requests such copy; and
(ii) in relation to any reasonable instructions notified to it by notice, recommendation or complaint, any background details, supporting documentation and copy information which the Authority may request in order to deal with such notice, recommendation or Contracting Body concernedcomplaint
(iii) within 10 Working Days of the date of the request from the Authority.
22.2.11 The Supplier shall comply 21.3 In the event that the Service Provider receives directly:
21.3.1 a request for information under the FOIA; and/or
21.3.2 any notice, recommendation or compliant in relation to a matter for which the Authority is legally responsible under the FOIA
21.3.3 the Service Provider will:
(i) immediately pass such request, notice, recommendation or complaint to the Authority’s Authorised Representative for action at all times the Authority’s sole discretion, along with full background details and any supporting documentation relating to the subject matter of such request, notice, recommendation or complaint; and
(ii) not act or omit to act, including making any representations or entering into any communications with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement relevant third party, in such a way as to cause prejudice the Authority’s position in relation to such request, notice, recommendation or compliant.
21.4 The Service Provider acknowledges that the Authority is obliged under the FOIA to breach disclose information, including information relating to its appointment under this Agreement, to third parties, subject to certain exemptions. The Service Provider further accepts and acknowledges that the decision to disclose information and the application of any of such exemptions under the FOIA will be at the Authority’s sole discretion provided that the Authority shall act reasonably and proportionately in exercising its applicable obligations under the FOIA, by giving such notice as is reasonable in the circumstances and considering whether any exemptions under Section 43 FOIA may apply to protect the Service Provider’s legitimate commercial and trade secrets.
Annexe A - Confirmation of Attendance Privacy notice Disability Access Fund Declaration Is your child eligible and in receipt of Disability Living Allowance (DLA) Yes No If your child is splitting their funded entitlement across two or more providers please nominate the main setting where the local authority should pay the DAF: Declaration SCHEDULE A Commercial Sensitive Data Protection Legislation.B1. The following information relating to the Contract shall be classed as “commercially sensitive” and shall therefore constitute “Data” for the purposes of this Agreement:
1. Any and all information relating to and including, but not limited to data relating to pay, pensions and personnel details of the staff of the Data Controller handled and stored by the Data Processor
2. Any and all information relating to and including, but not limited to data relating to pay, pensions and personnel details of the staff of the Data Controller handled and stored by the Data Processor
3. Information as mentioned in sections B1 and B2 above
Appears in 1 contract
Sources: Early Education Provider Agreement
Data Protection. 22.1 With respect to 15.1. Both Parties shall comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under this Framework Agreementthe Data Protection Legislation.
15.2. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Parties agree that the Authority Client is the Data Controller and that the Supplier LTT is the Data ProcessorProcessor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). The Appendix sets out the scope, nature and purpose of processing by LTT, the duration of the processing and the types of Personal Data and categories of Data Subject (where Personal Data and Data Subject have the meanings as defined in the Data Protection Legislation).
22.2 The Supplier 15.3. LTT shall:
22.2.1 Process , in relation to any Personal Data processed in connection with the performance by LTT of its obligations under this Agreement, process that Personal Data only in accordance for the purposes of complying with instructions its obligations under this Agreement.
15.4. To the extent that the Client collects and passes Personal Data to LTT pursuant to this Agreement, it represents, warrants and undertakes that:
(a) it has obtained appropriate authority from all Data Subjects to whom it relates, or has provided them with the Authority (requisite information required under the Data Protection Legislation, to pass their Personal Data to LTT for the purposes for which may be specific instructions or instructions of a general nature the Client intends to use it and/or as set out in this Framework Agreement or as otherwise notified specified by the Authority Client in writing; and
(b) it is accurate and up to date.
15.5. Subject to clause 15.6, the Supplier during Client hereby authorises LTT to pass data on to its suppliers, sub- contractors and other third parties (Sub-Processors) as necessary for the Term);
22.2.2 Process the Personal Data only to the extent, performance of LTT’s obligations under this Agreement and in such manner, otherwise as it necessary needed for the provision of the Services or as is required by Law or Ground Arrangements.
15.6. LTT shall:
(a) inform the Client of any Regulatory Bodychanges it has made to its Sub-Processors and permit the Client to object to those changes;
22.2.3 implement (b) ensure any Sub-Processor agrees in writing to comply with obligations at least equivalent to those obligations imposed on LTT in this clause that relate to the requirements laid down in Article 28(3) of the UK GDPR and there the Sub-Processor fails to comply with those obligations, LTT shall remain liable to the Client for the Sub-Processor’s failure.
15.7. The Client accepts that that LTT is not liable for the acts, omission or failure of any Sub-Processor where such Sub-Processor relates to the provision of Ground Arrangements requested by the Client.
15.8. Taking into account the state of technical development and the nature of the processing, LTT shall, in relation to any Personal Data processed in connection with the performance by LTT of its obligations under this Agreement, ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature processing of the Personal Data and comply with against accidental loss or destruction of, or damage to, the obligations set out in this Clause 22 (Data Protection);Personal Data.
22.2.7 15.9. LTT shall ensure that none access to Personal Data is limited to the employees of Supplier’s Staff publishLTT and authorised Sub-Processors and all parties who need access to it to supply the Arrangements and who are subject to an enforceable obligation of confidence with regards to the Personal Data.
15.10. Subject to clause 15.11and 15.12, disclose LTT shall not transfer, or divulge otherwise directly or indirectly disclose, any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred countries outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body United Kingdom without the prior written consent of the Authority Client except where LTT is required to transfer the Personal Data by the laws of the United Kingdom (and shall inform the Client of that legal requirement before the transfer, unless those laws prevent it doing so).
15.11. LTT shall be permitted to transfer the Personal Data to countries outside of the UK to the extent that any one or Contracting Body concerned and, where more of the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing applies:
(ia) LTT has in place with the obligations of a Data Controller under non-UK Sub-Processor the Eighth Data Protection Principle model contractual clauses as set out in Schedule 1 Decision 2010/87/EU or any alternative version of those clauses issued by the Data Protection Act 1998 by providing European Commission or a supervisory authority from time to time;
(b) the transfer is to a non-UK country that is deemed to have an adequate level of protection from time to any time by the Commission or such other supervisory authority;
(c) to the extent that the transfer is to a group company located outside of the UK, LTT’s group has in place Binding Corporate Rules for the transfer of Personal Data that is transferred; andto a non-UK group company;
(iid) any reasonable instructions notified there is an approved code of conduct in place by an association or other body representing the Client or LTT that applies to it by the Authority non-UK territory or Contracting Body concernedterritories to which the Personal Data is to be transferred;
(e) there is an approved certification mechanism in place in respect of the non-UK territory.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Wholesale Supply Agreement
Data Protection. 22.1 With respect For the purpose of the following Clauses, the terms “controller”, “data subject”, "personal data", “process”, “processor” and “personal data breach” shall have the meanings given to them in the Data Protection Laws, and “processing” and “processed” shall be construed accordingly. Each party hereby undertakes to the Parties' rights other that it shall comply with the obligations of a "controller" under the provisions of the Data Protection Laws and undertakes that it will only process personal data as is necessary to perform its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only Agreement (without prejudice to Clause 5.2 (General standards)) in accordance with instructions from the Authority applicable Data Protection Laws. In addition, each party (which may be specific instructions or instructions to the extent that it processes personal data as a processor on behalf of the other party (the “Controller Party”) [in accordance with Schedule Part 28]): taking into account the nature of the processing and in accordance with Article 32 of the GDPR, warrants that it has (and all Sub Contractors of any tier and their agents have to the extent that they process personal data as a processor on behalf of a general nature as set out in this Framework Agreement or as otherwise notified by Controller Party) the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data in place against unauthorised or unlawful Processing processing of personal data and against accidental lossloss or destruction of, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take to, personal data held or processed by it; has taken all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff of its staff (including consultants and agents) who will have access to personal data processed as part of this Agreement, and to ensure such persons shall have entered into an appropriate contractual agreement that requires them to keep the Personal Data;
22.2.5 obtain prior Approval from personal data confidential; undertakes that it will act only on the Authority documented instructions of the Controller Party in order relation to transfer the Personal processing of any personal data made available by or on behalf of the Controller Party as part of this Agreement, and immediately inform the Controller Party if, in its opinion, an instruction infringes the Data Protection Laws; shall make available to the Controller Party all information necessary to demonstrate compliance with this Clause 60.3 and undertakes to allow the Controller Party access to any Subrelevant premises on reasonable notice to inspect its procedures described at Clause 60.3.1 above; shall promptly, and in any event within forty-Contractors eight (48) hours of receipt of any request or Affiliates for correspondence, notify the provision Controller Party about any actual or suspected breach of this Clause 60.3 or the Data Protection Laws, or any actual or suspected personal data breach and shall: implement any measures necessary to restore the security of compromised personal data; and support the Controller Party in making any required notifications to any regulatory authority and affected data subjects; shall promptly, and in any event within forty-eight (48) hours of receipt of any request or correspondence, notify the Controller Party if it receives a subject access request or notice from a data subject exercising its rights under the Data Protection Laws in respect of any personal data or any correspondence from a regulatory authority in relation to the processing of any personal data on behalf of the Services;
22.2.6 ensure that all Supplier Staff required to access Controller Party; shall not sub-contract any processing of personal data without the Personal Data are informed of the confidential nature of the Personal Data and Controller Party’s prior written consent; shall comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) imposed upon a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations processor under the Data Protection Legislation;
22.2.9 provide Laws, and use all reasonable endeavours to assist the Authority with full cooperation and assistance Controller Party in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in requirements of the Data Protection Legislation Laws (including the obligations pursuant to Articles 32 to 36 of the GDPR (inclusive)); upon termination of the Agreement and in accordance with on the Authority's instructions;
(c) providing instructions of the Authority with Controller Party, shall return to the Controller Party or destroy all copies of the personal data, except the extent it is required to keep copies by any Personal Data it holds in relation to a Data Subject (within law of the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority UK or the Authority’s Representative (subject to the reasonable European Union; and appropriate confidentiality undertakings), to inspect and audit, the Supplier's shall not transfer any personal data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the Controller Party’s prior written consent of consent. Where a party sub-contracts any processing in accordance with clause 60.3.7, that party shall impose the Authority or Contracting Body concerned and, where same data protection obligations in this Agreement and as required by Data Protection Laws on the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations sub-processor by way of a Data written contract. The party sub-contracting processing in accordance with clause 60.3.7 shall remain fully liable to the Controller under Party for the Eighth Data Protection Principle performance of its obligations. [At the time the Controller Party requires the other party to process personal data on the Controller Party’s behalf, the parties shall identify and agree in writing, in the form set out in Schedule 1 Part 28, in accordance with this Agreement and Article 28 of the Data Protection Act 1998 by providing an adequate level GDPR, the subject matter and duration of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with processing, the Data Protection Legislation nature of the processing, the type of personal data, categories of data subjects and shall not perform its obligations under this Framework Agreement in such a way as to cause and rights of the Authority to breach any of its applicable obligations under the Data Protection Legislation.Controller Party.]2
Appears in 1 contract
Sources: Project Agreement
Data Protection. 22.1 With respect 2.1 The Parties acknowledge their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. For the Parties' rights avoidance of doubt, the Supplier shall take reasonable steps to ensure it is familiar with the Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations.
2.2 To the extent that the nature of this Framework Agreement means that the Parties are acting both as Controllers, each Party undertakes to comply at all times with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller Protection Legislation and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process 2.2.1 implement such measures and perform its obligations (as applicable) in compliance with the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)Protection Legislation;
22.2.2 Process 2.2.2 be responsible for determining its data security obligations taking into account the Personal state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data only to the extentSubjects, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to loss and ensure the protection of the rights of the Data Subject, in such a manner that Processing will meet the requirements of the Data Protection Legislation where Personal Data has been transmitted by it, or while the Personal Data and having regard is in its possession or control;
2.2.3 where appropriate, promptly refer to the nature other Party any requests, from
(i) Data Subjects in regards to the right of the access to Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure by that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under in accordance with the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) the Information Commissioner; or (iii) any other law enforcement authority and to the extent it is reasonable instructions notified and practical to it by do so consult with the Authority or Contracting Body concernedother Party (for the avoidance of doubt at no additional cost) before responding to such request.
22.2.11 The Supplier shall comply at all times 2.3 Where Personal Data is shared between the Parties, each acting as Controller:
2.3.1 the Data Transferor warrants and undertakes to the Data Recipient that such Personal Data has been collected, Processed and transferred in accordance with the Data Protection Legislation and shall not perform this Clause 2 of this Schedule 3;
2.3.2 the Data Recipient will Process the Personal Data in accordance with the Data Protection Legislation and this Clause 2 of this Schedule 3; and
2.3.3 where the Data Recipient is in breach of its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under Schedule 3 and the Data Protection Legislation, the Data Transferor may temporarily suspend the transfer of the Personal Data to the Data Recipient until the breach is repaired.
2.4 The Supplier and the Authority shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes).
2.5 The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data in connection with this Framework Agreement.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 55.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority Department is the Data Controller and that the Supplier Contractor is the Data Processor.
22.2 55.2 The Supplier Contractor shall:
22.2.1 55.2.1 Process the Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Department to the Supplier Contractor during the Term);
22.2.2 55.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 55.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 55.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff Contractor Personnel who have access to the Personal Data;
22.2.5 55.2.5 obtain prior Approval written consent from the Authority Department in order to transfer the Personal Data to any Sub-Contractors contractors or Affiliates of the Contractor for the provision of the Services;
22.2.6 55.2.6 ensure that all Supplier Staff Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)55;
22.2.7 55.2.7 ensure that none of Supplier’s Staff Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityDepartment;
22.2.8 55.2.8 notify the Authority Department (within five (5) Working Days Days) if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the AuthorityDepartment's obligations under the Data Protection Legislation;
22.2.9 55.2.9 provide the Authority Department with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority Department with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the AuthorityDepartment's instructions;
(c) providing the Authority Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the AuthorityDepartment); and
(d) providing the Authority Department with any information requested by the AuthorityDepartment;
22.2.10 The Supplier shall:
(a) 55.2.10 permit the Authority Department or the Authority’s Department Representative (subject to any Department Representative entering into confidentiality undertakings on the reasonable and appropriate confidentiality undertakingsterms set out in Schedule 2.7 (Form of Confidentiality Agreement)), to inspect and audit, in accordance with Clause 53 (Audit Provision and Audit Access), the SupplierContractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-ContractorsSub- contractors) and comply with all reasonable requests or directions by the Authority Department to enable the Authority Department to verify and/or procure that the Supplier Contractor is in full compliance with its obligations under this Framework Agreement;; and
(b) 55.2.11 provide a written description of the technical and organisational methods employed by the Supplier Contractor for Processing processing Personal Data (within the timescales required by the AuthorityDepartment); and.
(c) not cause or permit to be Processed and/or otherwise transferred outside 55.3 If the European Economic Area any Processing of Personal Data supplied requires the transfer of Personal Data from the territory from which the Contractor is providing the Services to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer a third party outside the European Economic Area, the Contractor shall obtain the Department's consent prior to comply withany such transfer and where such consent is obtained, it shall be subject to:
55.3.1 the Contractor engaging the third party on terms that are substantially the same as, and no less stringent, than the terms contained in this Clause 55; and
55.3.2 procuring that such third party enters into the EU Commission controller to processor standard clauses (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 Commission Decision 2002/16/EC dated 27 December 2001) with the Department in respect of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it be Processed by the Authority or Contracting Body concerneda third party. .
22.2.11 55.5 The Supplier Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority Department to breach any of its applicable obligations under the Data Protection LegislationLegislation and/or the Computer Misuse ▇▇▇ ▇▇▇▇.
Appears in 1 contract
Sources: Agreement for the Provision of Administration Services
Data Protection. 22.1 With 32.1. The Parties agree that with respect to the Parties' their rights and obligations under this Framework Agreement, Agreement and for the Parties agree purposes of the Data Protection Legislation that the Authority Client is the “Data Controller Controller” and that the Supplier ILLY is the “Data Processor” to the extent that it is providing an Application Hosting service for the licensed software on the ASP Infrastructure.
22.2 The Supplier 32.2. ILLY shall:
22.2.1 Process 32.2.1. only undertake processing of “Personal Data” (as defined in the Personal Data only Protection Legislation) in accordance with the Client’s policies, including - but not limited to - data protection, information security and retention of personal data and instructions from the Authority Client (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Client to the Supplier ILLY during the Term);
22.2.2 Process the 32.2.2. only undertake processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Services, or as is required by Law law or any Regulatory Bodyregulatory body with the necessary jurisdiction;
22.2.3 32.2.3. implement appropriate technical and organisational measures Protective Measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossany Data Loss Event Data Protection Legislation, destruction, damage, alteration or disclosure. These provided that such measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data Loss Event and having regard to to: the nature and sensitivity of the Personal Data which is to be protected; the state of technological development and the cost of implementing any measures;
22.2.4 32.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff of its Personnel who have access to the Personal Data, including carrying out adequate security checks on those Personnel;
22.2.5 obtain prior Approval from the Authority in order 32.2.5. ensure that all of its Personnel who legitimately require access to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data carry out their duties are informed of the confidential nature of the Personal Data Data, are subject to appropriate confidentiality undertakings and comply with the obligations set out in this Clause 22 (Data Protection)section;
22.2.7 32.2.6. ensure that none of Supplier’s Staff its Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityClient;
22.2.8 32.2.7. not transfer the Personal Data to any Personnel involved in the provision of the Services without first obtaining the written consent of the Client;
32.2.8. notify the Authority Client without undue delay and in any event within five (5) Working Days 24 hours if it receivesit:
(a) receives a request from a Data Subject any individual to have access to that person's their Personal Data; or;
(b) receives a request to rectify, block or erase any Personal Data;
c) receives any other request, complaint or request communication relating to the Authorityeither Party's obligations under the Data Protection Legislation;
22.2.9 d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f) becomes aware of a Data Loss Event. ▇▇▇▇'s obligation to notify under clause 32.2.8 shall include the provision of further information to the Client in phases, as details become available.
32.2.9. provide the Authority Client with full cooperation and assistance in relation to any complaint or request mademade in relation to the Personal Data, including (without limitation) by:
(a) providing the Authority Client with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Client’s instructions;
(c) providing the Authority Client with any Personal Data it holds in relation to a Data Subject an individual (within the timescales required by the AuthorityClient); and
(d) providing the Authority Client with any information requested by the Authority;Client.
22.2.10 The Supplier shall:
(a) 32.2.10. permit the Authority Client or the Authority’s Representative its officers (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's audit ILLY’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Authority Client to enable the Authority Client to verify and/or procure that the Supplier ILLY is in full compliance with its obligations under this Framework Agreement;
(b) 32.2.11. provide a written description of the technical and organisational methods employed by the Supplier ILLY for Processing processing Personal Data (within the timescales required by the AuthorityClient); and
(c) 32.2.12. not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal as referred to in the Data supplied to it by the Authority or any Other Contracting Body Protection Legislation without the prior written consent of the Authority or Contracting Body concerned Client and, where the Authority or Other Contracting Body concerned Client consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(ia) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 2018 and Article 46 of the GDPR by providing an adequate level of protection to for any Personal Data that is transferred; and
(iib) any reasonable instructions notified to it by the Authority or Contracting Body concernedClient.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Standard Terms and Conditions
Data Protection. 22.1 With respect to 19.1 Each party agrees that, in the Parties' rights and performance of their respective obligations under this Framework Agreement, it shall comply with the Parties agree that provisions of the Authority is Privacy Legislation to the Data Controller and that the Supplier is the Data Processorextent it applies to each of them.
22.2 The Supplier 19.2 In so far as a party (“processing party”) processes any Personal Data (including name, postal address, email address, mobile/telephone details, and other contact or personal details) relating to individuals which is acquired or collected by the processing party on behalf of the other party (“controlling party”) in connection with this Agreement, subject to sub-Clause 19.5, a the processing party shall:
22.2.1 Process 19.2.1 process the Personal Data on behalf of the controlling party (or, if so directed by the controlling party, an Affiliate or Affiliates of the controlling party), only for the purposes of performing this Agreement and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out contained in this Framework Agreement or as otherwise notified provided to the processing party in writing by the Authority controlling party from time to the Supplier during the Term)time;
22.2.2 Process 19.2.2 not otherwise modify, amend or alter the contents of the Personal Data only to or disclose or permit the extent, and in such manner, as it necessary for the provision disclosure of any of the Services or as is required Personal Data to any third party unless specifically authorised in writing by Law or any Regulatory Bodythe controlling party;
22.2.3 19.2.3 at all times comply with the provisions of the Privacy Legislation and all other Applicable Laws and implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps 19.2.4 ensure that only those personnel (including Belltree Personnel where the processing party is ▇▇▇▇▇▇▇▇) who need to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order Data are granted access to transfer the Personal Data to any Sub-Contractors or Affiliates such data and only for the provision purposes of the Services;
22.2.6 performance of this Agreement and ensure that all Supplier Staff of said personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)19;
22.2.7 ensure that none 19.2.5 obtain prior written consent from the controlling party before transferring Personal Data to any sub-contractor (including any Sub-contractor) and, if such consent is given, include in all contracts with such sub- contractors provisions in favour of Supplierthe controlling party which are equivalent to those in this Clause 19 and enforce these obligations at the controlling party’s Staff request;
19.2.6 not publish, disclose or divulge any of the Personal Data to any third party (including the Data Subject) unless directed in writing to do so in writing by the Authoritycontrolling party;
22.2.8 19.3 The processing party shall notify the Authority controlling party within five (5) Working Business Days if it receivesit:
19.3.1 becomes aware of any breach of this Clause 19 by it or its sub- contractors (a) including any Belltree personnel);
19.3.2 receives a request from a Data Subject to have access to that person's Personal Data; or;
(b) 19.3.3 receives a complaint or request relating directly or indirectly to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details processing of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authorityconnection with this Agreement; and
(d) providing 19.3.4 receives any other communication relating directly or indirectly to the Authority processing of any Personal Data in connection with any information requested by the Authority;this Agreement.
22.2.10 19.4 The Supplier processing party shall:
(a) 19.4.1 permit the Authority controlling party or the Authority’s Representative its external advisers (subject to the reasonable and appropriate confidentiality undertakings), ) to inspect and audit, audit the Supplier's processing party’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority controlling party to enable the Authority controlling party to verify and/or and procure that the Supplier processing is in full compliance with its obligations under this Framework Agreement;
(b) 19.4.2 at no additional cost, provide a written description of such information to the technical controlling party as the controlling party may reasonably require, and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required reasonably specified by the Authority)controlling party, to allow the controlling party to comply with the rights of Data Subjects, including Data Subject- access rights, or with notices served by the Information Commissioner or any other law enforcement authority; and
(c) 19.4.3 not cause or permit to be Processed and/or otherwise transferred transfer Personal Data outside the UK and European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned controlling party, such consent to be outlined in the relevant Work Statement and, where the Authority or Other Contracting Body concerned controlling party consents to Processing and/or transfer outside the European Economic Areasuch transfer, to comply with:
(i) 19.4.4 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Privacy Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 19.4.5 any reasonable instructions notified to it by the Authority or Contracting Body concernedcontrolling party.
22.2.11 The Supplier shall comply at all times 19.5 Where the Client is located within a Third Country or is a Non-compliant US Entity and is processing any European Union and/or UK Personal Data (including name, postal address, email address, mobile/telephone details, and other contact or personal details as detailed in the DPA) relating to individuals which is acquired or collected by Belltree in connection with the Agreement, the parties hereby agree to comply with the terms of the DPA with respect to the transfer and processing of any Personal Data. If there is any conflict between the terms of this Agreement and the terms of the DPA, the terms of the DPA shall have precedence.
19.6 All Personal Data Protection Legislation and relating to individuals which is acquired or collected by Belltree on behalf of the Client in connection with this Agreement shall not perform its obligations under belong exclusively to the Client which hereby grants to Belltree and, to the extent necessary, to Belltree Personnel, or shall use commercially reasonable endeavours to procure the grant of, a royalty-free, non-exclusive licence (or, where relevant, an appropriate sub-licence) to use the same solely in relation to the performance of the Services as contemplated in this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationAgreement.
Appears in 1 contract
Sources: Services Agreements
Data Protection. 22.1 23.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 23.2 The Supplier shall:
22.2.1 23.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 23.2.2 Process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Goods and Services or as is required by Law or any Regulatory Body;
22.2.3 23.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 23.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 23.2.5 obtain prior written Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision purpose of providing the Goods and Services;
22.2.6 23.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)23;
22.2.7 23.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 23.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 23.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 23.2.10 The Supplier shall:
(a) 22.2.10.1 permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 22.2.10.2 provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) 22.2.10.3 not cause or permit to be Processed processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) 22.2.10.3.1 the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 22.2.10.3.2 any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 23.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect to the Parties' rights 30.1 Encompass shall agree and obligations under this Framework Agreement, enter into an information sharing protocol as agreed by the Parties agree that the Authority is and the Data Controller and that Processing Contract when Encompass is acting as a data processor on behalf of the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature Council as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);Schedule 11 and at all times act in compliance with these.
22.2.2 Process the Personal Data only to the extent, 30.2 Encompass shall (and shall procure that any of its personnel involved in such manner, as it necessary for the provision of the Services or under this Agreement shall) comply with any notification requirements under the DPA and the Parties shall duly observe all their obligations under the DPA, which arise in connection with the Agreement. Furthermore, Encompass shall adhere with all applicable provisions of the Data Protection Legislation.
30.3 Notwithstanding the general obligation in Clause 30.2, where Encompass is processing Personal Data as is required by Law or any Regulatory Body;
22.2.3 implement a Data Processor for the Council, Encompass shall ensure that it has in place appropriate technical and organisational contractual measures to protect ensure the security of the Personal Data (and to guard against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to processing of the Personal Data and having regard against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the nature DPA. This shall include (but not be limited to) maintaining secure and encrypted email facilities for the receipt and disclosure of personal data using methods or networks agreed with the Personal Data which is to be protected;Council.
22.2.4 take 30.4 Encompass shall:
30.4.1 ensure that all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to Personal Data have completed Information Governance Training or equivalent training agreed by the Personal DataCouncil as Data Controller;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) 30.4.2 provide a written description of the technical and organisational methods employed by the Supplier Data Processor for Processing processing Personal Data (within the timescales required by the AuthorityCouncil as a Data Controller);
30.4.3 identify a responsible person for all information governance issues and the protection of all Personal Data that it processes;
30.4.4 provide the Council with such information as the Council may reasonably require to satisfy itself that Encompass is complying with its obligations under the DPA;
30.4.5 notify the Council within 24 hours of any breach of the security measures required to be put in place pursuant to this clause;
30.4.6 provide the Council with full co-operation and assistance in relation to any complaint or request made pursuant to this clause; and
30.4.7 ensure it does not knowingly or negligently do or omit to do anything which places the Council in breach of the Council's obligations under the DPA.
30.5 Encompass shall notify the Council (cas Data Controller) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to within two Working Days, if it receives:
30.5.1 A Subject Access Request as defined by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of legislation from a Data Controller under Subject to have access to that person’s Personal Data; or
30.5.2 A complaint or request relating to the Eighth Council’s (as Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(iiController) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislationlegislation.
30.5.3 Save for any requests for copies of previous applications submitted by Data Subjects to Encompass, for any other request from a Data Subject Encompass shall complete a data request record and provide the Council with a monthly report of such requests or at such frequency as the Council may require.
30.6 The provisions of this clause shall apply during the continuance of this Agreement and indefinitely after its expiry or termination or until all data is returned to the Council who is the Data Controller.
Appears in 1 contract
Data Protection. 22.1 Within this Agreement the terms “controller”, “data subject”, “personal data”, “personal data breach”, “process” (“processed” to be construed accordingly) and “processor” shall have the same meanings as in the Data Protection Legislation.
19.1. With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree acknowledge that in relation to Applicable Data that comprises either (i) Event Data or (ii) Merchant personal data, the Merchant is the data controller and Pay360 by Capita is the data processor, and in relation to Applicable Data that comprises Transaction Data, the Issuer, the Acquirer or the Scheme (as applicable) is the data controller, the Merchant is the data processor, and Pay360 by Capita is a sub-processor. References to the data controller in this clause 19 should therefore be read and construed as being references to the Merchant, the Issuer, the Acquirer or the Scheme as applicable.
19.2. The parties acknowledge their respective obligations under the Data Protection Legislation and shall give each other such assistance as is reasonable to enable each other to comply with such obligations, however, for the avoidance of doubt the Merchant agrees that where Pay360 by Capita has satisfied a contractual obligation under this Agreement, then such satisfaction of the contractual obligation is deemed to satisfy the same or similar requirement under the Data Protection Legislation.
19.3. The Merchant warrants, represents and undertakes to Pay360 by Capita that it has lawful grounds for processing the Applicable Data.
19.4. The parties confirm that the Authority is information relating to the Data Controller subject matter and that duration of the Supplier is processing; the Data Processornature and purpose of the processing; the type of personal data; the categories of data subjects; and the obligations and rights of the data controller have been set out in this Agreement and in Annex 1 Part 1.
22.2 The Supplier 19.5. Where Pay360 by Capita processes the Applicable Data under or in connection with this Agreement, Pay360 by Capita shall:
22.2.1 Process the Personal 19.5.1. save as required otherwise by law, only process such Applicable Data as is necessary to perform its obligations under this Agreement, and only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)data controller’s documented instructions;
22.2.2 Process the Personal Data only to the extent, and 19.5.2. put in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's meet its own obligations under the Data Protection Legislation;
22.2.9 provide 19.5.3. ensure Pay360 by Capita staff who will have access to the Authority with full cooperation and assistance in relation Applicable Data are subject to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or requestappropriate confidentiality obligations;
(b) complying with a data access request within 19.5.4. be entitled to engage sub-processors to process the relevant timescales Applicable Data subject to Pay360 by Capita ensuring that equivalent requirements to those set out in this clause are imposed on any sub- processor(s), Pay360 by Capita remaining fully liable for the Data Protection Legislation performance of the sub-processor’s obligations and in accordance with where applicable, providing to the Authority's instructionsdata controller reasonable prior notice of any addition, removal or replacement of any such sub-processors;
(c) providing 19.5.5. not process or transfer the Authority with any Personal Applicable Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written documented consent of the Authority data controller (which consent is hereby given in respect of the processing of data by those third parties described [in Annex 1 Part 2]). For the avoidance of doubt, any consent given under this clause includes the consent to transfer the Applicable Data to the United Kingdom;
19.5.6. have in place the appropriate technical and organisational security measures to protect the Applicable Data against accidental or Contracting Body concerned andunlawful destruction, where loss, alteration, unauthorised disclosure or access;
19.5.7. notify the Authority or Other Contracting Body concerned consents data controller without undue delay after becoming aware of any personal data breach involving the Applicable Data, taking into account the nature of processing and the information available to Processing and/or transfer outside the European Economic AreaPay360 by Capita;
19.5.8. take appropriate technical and organisational measures, insofar as is possible, to comply with:
(i) assist the obligations of a Data Controller under the Eighth Data Protection Principle set out data controller in Schedule 1 responding to requests by data subjects for access to or rectification, erasure or portability of the Applicable Data Protection Act 1998 or for restriction of processing or objections to processing of the Applicable Data (but Pay360 by providing an adequate level of protection Capita will not itself respond to any Personal Data that is transferredsuch data subject request except on written instructions from the data controller). Furthermore Pay360 by Capita will, upon the request of the Merchant, provide assistance to the Merchant relating to the Merchant’s security; and
(ii) any reasonable instructions notified to it by the Authority impact assessment; data breach reporting requirements; and data protection or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable data privacy authority consultation obligations under the Data Protection Legislation taking into account the information available to Pay360 by Capita. Pay360 by Capita may charge the Merchant its reasonable costs (or the rates otherwise agreed between the parties) for its time spent and expenses incurred in providing the Merchant with co-operation and assistance as required by this clause;
19.5.9. make available to the Merchant such information as the Merchant reasonably requests and Pay360 by Capita is reasonably able to provide, and, permit and contribute to such audits, including inspections, conducted by the Merchant (or the Merchant’s appointed auditors), as is necessary to demonstrate Pay360 by Capita’s compliance with the Data Protection Legislation. The Merchant will give reasonable notice of any audit and will be fully liable for any associated costs (including those of Pay360 by Capita); and
19.5.10. save as may be required by law AND/OR where the parties have agreed that Pay360 by Capita e.g. legal claims/regulatory requirements may need to retain the Personal Data to support potential chargebacks within the Chargeback Period at the Merchant’s cost, or retain card on file data at the Merchant’s request, and optionally either delete or return the Applicable Data to the Merchant on expiry or termination of this Agreement, provided always that nothing in this clause shall oblige Pay360 by Capita to provide assistance which does not relate directly to the Service performed pursuant to this Agreement.
19.6. Pay360 by Capita shall inform the Merchant in writing if, in Pay360 by Capita’s opinion, an instruction from the Merchant infringes the Data Protection Legislation but only in relation to a breach of General Data Protection Regulation ((EU 2016/679)) and/or other Union or Member State data protection provisions and not jurisdictions outside of these areas. However, the Merchant acknowledges that:
19.6.1. any information Pay360 by Capita provides is not legal advice or guidance in anyway whatsoever, and that Pay360 by Capita makes no warranty or representation regarding the information (express or implied); and
19.6.2. this clause shall not relieve the Merchant of its obligation to ensure that all instructions to Pay360 by Capita comply with all applicable legislation, including all Data Protection Legislation; and
19.6.3. Pay360 by Capita may charge the Merchant its reasonable costs (or the rates otherwise agreed between the parties) for its time spent and expenses incurred in providing the Merchant with co- operation and assistance as required by this clause.
19.7. Notwithstanding anything to the contrary in this Agreement, if any of the following occur:
19.7.1. any changes/modifications to the Data Protection Legislation (including in connection with the withdrawal of the United Kingdom from the European Union and/or the EEA) including the requirement to amend, update, modify or replace any systems Pay360 by Capita use to process the Personal Data;
19.7.2. any new, clarified or amended guidance or polices issued by a supervisory authority;
19.7.3. any direction or instruction issued by a supervisory authority (whether relating to the Merchant or Pay360 by Capita in respect of the Service (including any processing of the Applicable Data), then any increased effort or costs incurred by Pay360 by Capita in association with the aforementioned shall be additionally chargeable to the Merchant.
19.8. The Merchant shall indemnify and keep indemnified Pay360 by Capita against any liability, fines, claims, demands, expenses and costs (including legal fees) arising as a result of: any breach of the Data Protection Legislation by the Merchant, or Pay360 by Capita acting in accordance with any instruction, policy or procedure of the Merchant.
19.9. The Merchant warrants and represents that any Merchant instruction, policy or procedure shall be lawful.
19.10. Data Consent - The Merchant consents to Pay360 by Capita’s use of;
19.10.1. information relating to the Merchant and the Merchant’s business (including personal data) in accordance with the Data Protection terms set out in this Agreement and
19.10.2. the Merchant’s personal data for marketing and research purposes as specified in accordance with the Data Protection terms set out in this Agreement. . In using the Service the Merchant is consenting to the use of their personal data as specified.
Appears in 1 contract
Sources: Terms of Business
Data Protection. 22.1 With respect 18.1. The SERVICE PROVIDER’s attention is hereby drawn to the Parties' rights Data Protection Requirements. The AUTHORITY and the SERVICE PROVIDER shall observe their obligations under the Data Protection Requirements.
18.2. Where the SERVICE PROVIDER, pursuant to its obligations under this Framework Agreement, processes Personal Data on behalf of the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier AUTHORITY, it shall:
22.2.1 Process 18.2.1. process the Personal Data only in accordance with instructions from the Authority AUTHORITY (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority AUTHORITY to the Supplier SERVICE PROVIDER during the Term);
22.2.2 Process 18.2.2. process the Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 18.2.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 18.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff SERVICE PROVIDER personnel who have access to the Personal Data;
22.2.5 18.2.5. obtain prior Approval written consent from the Authority AUTHORITY in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 18.2.6. ensure that all Supplier Staff any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)18;
22.2.7 18.2.7. ensure that none of Supplier’s Staff the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityAUTHORITY;
22.2.8 18.2.8. notify the Authority AUTHORITY (within five (5) Working Days Days) if it receives:
(a) 18.2.8.1. a request from a Data Subject data subject to have access to that person's ’s Personal Data; or
(b) 18.2.8.2. a complaint or request relating to the Authority's AUTHORITY’s obligations under the Data Protection LegislationRequirements;
22.2.9 18.2.9. provide the Authority AUTHORITY with full cooperation and assistance in relation to any complaint or request made, including by:
(a) 18.2.9.1. providing the Authority AUTHORITY with full details of the complaint or request;
(b) 18.2.9.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation Requirements and in accordance with the Authority's AUTHORITY’s instructions;
(c) 18.2.9.3. providing the Authority AUTHORITY with any Personal Data it holds in relation to a Data Subject data subject (within the timescales required by the AuthorityAUTHORITY); and
(d) 18.2.9.4. providing the Authority AUTHORITY with any information requested by the AuthorityAUTHORITY;
22.2.10 The Supplier shall:
(a) 18.2.10. permit the Authority AUTHORITY or the Authority’s Representative its representatives (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with Clause 33, the Supplier's SERVICE PROVIDER’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority AUTHORITY to enable the Authority AUTHORITY to verify and/or procure that the Supplier SERVICE PROVIDER is in full compliance with its obligations under this Framework Agreement;
(b) 18.2.11. provide a written description of the technical and organisational methods employed by the Supplier SERVICE PROVIDER for Processing processing Personal Data (within the timescales required by the AuthorityAUTHORITY); and
(c) 18.2.12. not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned AUTHORITY and, where the Authority or Other Contracting Body concerned AUTHORITY consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(i) 18.2.12.1. the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) 18.2.12.2. any reasonable instructions notified to it by the Authority or Contracting Body concernedAUTHORITY.
22.2.11 18.3. The Supplier SERVICE PROVIDER shall comply at all times with the Data Protection Legislation Requirements and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority AUTHORITY to breach any of its applicable obligations under the Data Protection LegislationRequirements.
18.4. The AUTHORITY may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the AUTHORITY such information as the AUTHORITY may reasonably require relating to:
18.4.1. compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Framework Agreement in connection with the processing of Personal Data; and/or
18.4.2. the rights of data subjects, including but not limited to subject access rights.
18.5. The SERVICE PROVIDER will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the AUTHORITY or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Framework Agreement.
18.6. With respect to the parties’ rights and obligations under this Framework Agreement, the parties acknowledge that, except where otherwise agreed, the AUTHORITY is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 31, a Sub-Contractor to assist it in providing the Services and such assistance includes the processing of Personal Data on behalf of the AUTHORITY, then, subject always to compliance by the SERVICE PROVIDER with the provisions of Clause 31 relating to the appointment of Sub-Contractors, the AUTHORITY hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the AUTHORITY’S behalf such Sub-Contractor to process Personal Data provided that the SERVICE PROVIDER shall notify the AUTHORITY in writing of such appointment and the identity and location of such Sub-Contractor. The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Framework Agreement, including the terms set out in Clause 18.2. Any Sub-Contractor appointed under the provisions of this Clause 18.6 shall, for the purposes of Schedule 9, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 9.
18.7. Save as set out in this Clause 18, any unauthorised processing, use or disclosure of Personal Data by the SERVICE PROVIDER is strictly prohibited.
18.8. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the AUTHORITY against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the AUTHORITY which arise directly or in connection with the SERVICE PROVIDER’s data processing activities under this Framework Agreement, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect 1.1 The Councils acknowledge that for the purposes of the Data Protection Legislation, both Councils are the Joint Controllers of data. The only processing that the Councils are authorised to do is listed in Schedule 1 and may not be determined by either one of the Councils alone.
1.2 Both Councils shall notify the other immediately if it considers that any of the processing under the Agreement infringes the Data Protection Legislation.
1.3 The Councils shall provide all reasonable assistance to each other in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Parties' Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
1.4 Both Councils shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the (a) process that Personal Data only in accordance with instructions from Schedule 1, unless required to do otherwise by Law. If it is so required the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by Council shall promptly notify the Authority to the Supplier during the Term);
22.2.2 Process other Council before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the other Council as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that:
(i) the Council’s Personnel do not process Personal Data except in accordance with this Agreement and in particular Schedule 1;
(ii) the Councils take all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Council’s duties under this clause;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Council or any Sub-Contractors or Affiliates for the provision of the ServicesSub- processor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Council unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:Council or as otherwise permitted by this Agreement; and
(aD) a request from a Data Subject to have access to that person's undergone adequate training in the use, care, protection and handling of Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of both Councils has been obtained and the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Council has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Councils;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Council complies with their obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the other Council in meeting its obligations); and
(iie) the Councils delete or return Personal Data (and any copies of it) to the other Council on termination of the Agreement unless the other Council is required by Law to retain the Personal Data.
1.5 Subject to clause 1.6, the Councils shall notify the other Council immediately if it receives a request relating to Personal Data in the other Council’s control including:
(a) a Data Subject Access Request (or purported Data Subject Access Request);
(b) a request to rectify, block or erase any Personal Data;
(c) any reasonable instructions notified other request, complaint or communication relating to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable either Council's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Council for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.
1.6 The Councils obligations to notify under clause 1.5 shall include the provision of further information to the other Council in phases, as details become available.
1.7 Taking into account the nature of the processing, the Councils shall provide each other with full assistance in relation to either Council's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably agreed) including by promptly providing:
(a) full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested to enable the other Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the other Council, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the other Council following any Data Loss Event;
(e) assistance as requested by the other Council with respect to any request from the Information Commissioner’s Office, or any consultation by the other Council with the Information Commissioner's Office.
1.8 The Councils shall maintain complete and accurate records and information to demonstrate its compliance with this clause.
1.9 The Councils shall allow for audits of its Data Processing activity by the other Council or the other Council’s designated auditor.
1.10 The Councils shall designate a data protection officer as required by the Data Protection Legislation.
1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Councils must:
(a) notify the other Council in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the other Council;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and
(d) provide the other Council with such information regarding the Sub-processor as the other Council may reasonably require.
1.12 The respective Council shall remain fully liable for all acts or omissions of any Sub- processor.
1.13 The Councils may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to controller standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
1.14 The Councils agree to take account of any guidance issued by the Information Commissioner’s Office. The Councils may on not less than 30 Working Days’ notice to the other Council amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Data Protection. 22.1 With respect 14.1 Each Party shall comply and shall procure that any of its staff involved in the activities under this MLSA and Service Contract (as applicable) shall comply with the provisions imposed on them by the Data Protection Laws. This clause 14 is supplemental to the Parties' rights and does not relieve, remove or replace, a Party’s obligations under the Data Protection Laws.
14.2 Each Party shall maintain records of all its Personal Data processing operations relating to this Framework AgreementMLSA and each Service Contract (as applicable) such that these records contain at least the minimum information required by the Data Protection Laws and each Party shall make such information available to an applicable regulator on request.
14.3 The Parties acknowledge that for the purposes of the Data Protection Laws, the intention of the Parties agree is that the Authority Customer is the Data Controller controller and that the Supplier mhance is the processor. Schedule 5 of the Service Contract sets out details of the processing of Personal Data Processorto be undertaken by mhance in connection with this MLSA and the Service Contract, the types of Personal Data, categories of Data Subjects, and nature and purposes of processing. Such processing shall take place throughout the duration of this MLSA or Service Contract (as applicable).
22.2 The Supplier 14.4 To the extent that mhance processes any Personal Data on behalf of the Customer pursuant to this MLSA or Service Contract (as applicable), mhance shall:
22.2.1 Process the 14.4.1 process such Personal Data only in accordance with the Customer’s written instructions from the Authority time to time (which may be specific instructions or instructions of a general nature as including those set out in this Framework Agreement MLSA or Service Contract (as otherwise notified by the Authority applicable)) save for processing which mhance is required to the Supplier during the Term)do pursuant to any Applicable Law;
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 14.4.2 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesthat:
(a) access to such Personal Data is limited to its personnel who need to access it in order to meet mhance’s obligations under this MLSA or Service Contract (as applicable);
(b) in the case of access by its personnel, access to such Personal Data is limited to such part or parts of the Personal Data as is strictly necessary for performance of that member of personnel’s own duties; and
(c) any personnel who have access to such Personal Data are subject to binding obligations of confidentiality when processing such Personal Data;
14.4.3 implement and maintain technical and organizational measures and procedures to ensure an appropriate level of security for such Personal Data, including protecting such Personal Data against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access;
14.4.4 inform the Customer if any such Personal Data is (while within mhance's possession or control) subject to a personal data breach (as defined in Article 4 of GDPR or UK GDPR, as applicable) without undue delay after becoming aware;
14.4.5 not disclose any such Personal Data to any Data Subject or to a Third Party other than at the written request of the Customer, in order to comply with a requirement of a regulator having authority over mhance, or as expressly provided for in this MLSA or Service Contract (as applicable);
14.4.6 at the written request of the Customer, return or delete (subject to paying additional charges at the Customer’s then applicable time and material rates in circumstances where the Customer can carry out these tasks itself) all such Personal Data on termination or expiry of this MLSA or Service Contract (as applicable), and not make any further use of such Personal Data (except to the extent that Applicable Law or the Customer’s administrative and regulatory requirements requires continued storage of any such Personal Data by mhance);
14.4.7 provide to the Customer and any regulator (at the Customer’s cost and at mhance’s then time and material rates for any repeat requests) all records, information and assistance necessary to demonstrate or ensure compliance with the obligations in this clause 14.4;
14.4.8 no more than once every calendar year and subject to mhance having the right to do so, permit the Customer or its representatives (at the Customer’s cost at mhance’s then time and material rates) to access any relevant premises, personnel or records of mhance on reasonable notice (but being no less than fifteen (15) Business Days) to audit and otherwise verify compliance with this clause 14.4, unless such audit is required by a regulator or in circumstances where mhance has reported a personal data breach in which case it can be carried out as necessary and with as much notice as the Customer is able reasonably to give;
14.4.9 take such steps as are reasonably required to assist the Customer (at the Customer’s cost at mhance’s then time and material rates, for any onerous or repeat requests) to comply with the Customer’s obligations under Articles 30 to 36 (inclusive) of the GDPR (or UK GDPR as applicable) as they relate to mhance’s obligations under this MLSA or Service Contract (as applicable);
14.4.10 notify the Customer within seven (7) Business Days if it receives a request from a Data Subject to have access exercise its rights under the Data Protection Laws in relation to that person's Personal Data; orand
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 14.4.11 provide the Authority Customer with full cooperation its reasonable co-operation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with made by a data access request within the relevant timescales set out in Data Subject to exercise its rights under the Data Protection Legislation and Laws in accordance with relation to that person's Personal Data. mhance shall not charge for such requests unless such request is manifestly unjust or excessive, in which case mhance shall reserve the Authority's instructions;right to charge the Customer a reasonable administration fee; and
(c) providing the Authority with 14.4.12 not transfer any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those outside of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of the Authority Customer has been obtained, not to be unreasonably withheld or Contracting Body concerned anddelayed, where and one of the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside following conditions has been fulfilled under the European Economic Area, to comply withapplicable Data Protection Laws:
(ia) the obligations of transfer is to a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing country or territory which provides an adequate level of protection protection;
(b) the transfer is made subject to appropriate safeguards; or
(c) a relevant derogation exists.
14.5 If either Party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority other Party or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times to either Party's compliance with the Data Protection Legislation Laws, it shall promptly notify the other Party and shall provide the other Party with reasonable co- operation and assistance in relation to any such complaint, notice or communication.
14.6 Where the Customer or an Authorised User transfers Personal Data to mhance, whether as part of the Service or otherwise, the Customer warrants to mhance that it has secured a lawful data processing ground, in accordance with and in compliance with applicable Data Protection Laws, to process such Personal Data and to share such Personal Data with mhance.
14.7 The Customer hereby indemnifies mhance for any DP Losses incurred as a result of:
14.7.1 a claim by a data subject whose Personal Data has been provided by or on behalf of the Customer to mhance pursuant to the Service Contract, that there is no lawful basis of processing that Personal Data in accordance with the terms of this MLSA or Service Contract (as applicable); and/or
14.7.2 a breach of a data subject’s rights under Data Protection Laws, arising out of any written instructions provided by or on behalf of the Customer to mhance pursuant to this MLSA or Service Contract (as applicable) or otherwise relating to Personal Data; and/or
14.7.3 a breach by the Customer of its warranty in clause 14.6.
14.8 mhance hereby indemnifies the Customer for any DP Losses incurred solely as a result of a breach by mhance of its obligations pursuant to clause 14.
14.9 mhance may subcontract its processing of Personal Data on behalf of the Customer, for the sole purpose of providing a part of the Services or enabling mhance to provide the Services. mhance shall procure that any such sub-contractor enters into a written contract with mhance which contains obligations for the protection of Personal Data which are no less onerous than those set out in this clause 14. As between the Customer and mhance, mhance shall remain fully liable for all acts and omissions of any sub-contractor appointed by it pursuant to this clause 14.
14.10 mhance’s current list of sub-contractors (Current Sub-Contractors) which are used to undertake processing of any Personal Data on behalf of the Customer will be provided to the Customer on written request. By entering into this MLSA, (or Service Contract, as applicable), the Customer approves the use of the Current Sub-Contractors. The rights afforded to the Customer in clauses 14.11, 14.12 and 14.12 shall not perform apply in relation to Current Sub-Contractors.
14.11 Following the date of this MLSA, mhance shall notify the Customer of its appointment of a new sub- contractor in respect of processing of Personal Data on behalf of the Customer (which is not a Current Sub-Contractor).
14.12 If the Customer wishes to object to mhance’s use of such sub-contractor notified in accordance with clause 14.11:
14.12.1 Customer must notify mhance in writing within 10 Business Days of the notification from mhance pursuant to clause 14.11; and
14.12.2 Customer’s objection to the relevant appointment must be on the basis that the relevant appointment would result in a breach of the Customer’s ability to comply with its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationLaws as a result of the relevant appointment.
14.13 If the Customer objects to any new sub-contractor in accordance with clause 14.12, mhance will use reasonable efforts to make available to the Customer an alternative solution or arrangement to avoid the processing by the relevant sub-contractor of any Personal Data provided by the Customer, provided that mhance shall be entitled to make a reasonable additional charge to cover the costs of implementing and operating the alternative solution or arrangement.
14.14 If mhance is unable to make available an alternative solution or arrangement within a reasonable period of time (which shall not exceed ninety (90) days) or if the Customer is unwilling to pay any charge by mhance to cover the costs of implementing and operating the alternative solution or arrangement, the Customer may, by written notice to mhance terminate the MLSA and all affected Service Contracts, in which case, the Customer shall be entitled to receive a pro rata refund of any prepaid fees and other applicable charges for the period following the effective date of termination.
Appears in 1 contract
Data Protection. 22.1 With 32.1. The Parties agree that with respect to the Parties' their rights and obligations under this Framework Agreement, Agreement and for the Parties agree purposes of the Data Protection Legislation that the Authority Client is the “Data Controller Controller” and that the Supplier ILLY is the “Data Processor” to the extent that it is providing an Application Hosting service for the licensed software on the ASP Infrastructure.
22.2 The Supplier 32.2. ILLY shall:
22.2.1 Process 32.2.1. only undertake processing of “Personal Data” (as defined in the Personal Data only Protection Legislation) in accordance with the Client’s policies, including - but not limited to - data protection, information security and retention of personal data and instructions from the Authority Client (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority Client to the Supplier ILLY during the Term);
22.2.2 Process the 32.2.2. only undertake processing of Personal Data only to the extent, and in such manner, as it is necessary for the provision of the Services Services, or as is required by Law law or any Regulatory Bodyregulatory body with the necessary jurisdiction;
22.2.3 32.2.3. implement appropriate technical and organisational measures Protective Measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossany Data Loss Event Data Protection Legislation, destruction, damage, alteration or disclosure. These provided that such measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data Loss Event and having regard to to: the nature and sensitivity of the Personal Data which is to be protected; the state of technological development and the cost of implementing any measures;
22.2.4 32.2.4. take all reasonable steps to ensure the reliability of any Supplier’s Staff of its Personnel who have access to the Personal Data, including carrying out adequate security checks on those Personnel;
22.2.5 obtain prior Approval from the Authority in order 32.2.5. ensure that all of its Personnel who legitimately require access to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data carry out their duties are informed of the confidential nature of the Personal Data Data, are subject to appropriate confidentiality undertakings and comply with the obligations set out in this Clause 22 (Data Protection)section;
22.2.7 32.2.6. ensure that none of Supplier’s Staff its Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the AuthorityClient;
22.2.8 32.2.7. not transfer the Personal Data to any Personnel involved in the provision of the Services without first obtaining the written consent of the Client;
32.2.8. notify the Authority Client without undue delay and in any event within five (5) Working Days 24 hours if it receivesit:
(a) receives a request from a Data Subject any individual to have access to that person's their Personal Data; or;
(b) receives a request to rectify, block or erase any Personal Data;
c) receives any other request, complaint or request communication relating to the Authorityeither Party's obligations under the Data Protection Legislation;
22.2.9 d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f) becomes aware of a Data Loss Event. ILLY's obligation to notify under clause 32.2.8 shall include the provision of further information to the Client in phases, as details become available.
32.2.9. provide the Authority Client with full cooperation and assistance in relation to any complaint or request mademade in relation to the Personal Data, including (without limitation) by:
(a) providing the Authority Client with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's Client’s instructions;
(c) providing the Authority Client with any Personal Data it holds in relation to a Data Subject an individual (within the timescales required by the AuthorityClient); and
(d) providing the Authority Client with any information requested by the Authority;Client.
22.2.10 The Supplier shall:
(a) 32.2.10. permit the Authority Client or the Authority’s Representative its officers (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's audit ILLY’s data Processing processing activities (and/or those of its agents, subsidiaries and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Authority Client to enable the Authority Client to verify and/or procure that the Supplier ILLY is in full compliance with its obligations under this Framework Agreement;
(b) 32.2.11. provide a written description of the technical and organisational methods employed by the Supplier ILLY for Processing processing Personal Data (within the timescales required by the AuthorityClient); and
(c) 32.2.12. not cause or permit to be Processed and/or otherwise transferred process Personal Data outside the European Economic Area any Personal as referred to in the Data supplied to it by the Authority or any Other Contracting Body Protection Legislation without the prior written consent of the Authority or Contracting Body concerned Client and, where the Authority or Other Contracting Body concerned Client consents to Processing and/or transfer outside the European Economic Areaa transfer, to comply with:
(ia) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 2018 and Article 46 of the GDPR by providing an adequate level of protection to for any Personal Data that is transferred; and
(iib) any reasonable instructions notified to it by the Authority or Contracting Body concernedClient.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Standard Terms and Conditions
Data Protection. 22.1 16.1 With respect to the Parties' parties’ rights and obligations under this Framework the Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentparties acknowledge that, and in such manner, as it necessary for the provision purposes of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide , the Authority with full cooperation Company is the processor and assistance the Customer is the controller in relation respect of any personal data processed by the Company pursuant to any complaint or request madethe Agreement. The Order Document sets out the scope, including by:
(a) providing nature, and purpose of processing by the Authority with full details Company, the duration of the complaint or request;processing and the types of personal data and categories of data subject.
(b) complying 16.2 Each party shall comply with a data access request within the relevant timescales set out in all applicable requirements of the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those respect of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier personal data. This clause 16 is in full compliance with its obligations under this Framework Agreement;
(b) provide addition to, and does not relieve, remove, or replace, a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable party’s obligations under the Data Protection Legislation.
16.3 Without limiting the generality of the foregoing, the Company shall:
(a) Process the personal data only on behalf of the Customer, only for the purposes of performing the Agreement and only in accordance with the Customer’s documented data controller instructions from time to time, unless required to do so by the law, in which case it will inform the Customer of that legal requirement before processing, subject to any legal requirement prohibiting such notification. The Customer’s documented instructions include any tasks attributed to the Company in a Service Level Agreement;
(b) Only transfer personal data to a third country or international organisation, on the instruction of the data controller (Customer) or with the data controller’s authorisation;
(c) Ensure that only personnel that are authorised by the Company to have access to personal data, have been properly trained and appropriately vetted and have committed themselves to confidentiality in respect of the personal data and are made aware of the Company’s obligations hereunder;
(d) Taking into account the nature of the processing implement and take such measures in relation to the security, confidentiality, availability, and integrity of the personal data as are required of it by the Data Protection Legislation and this Agreement;
(e) Observe and comply with the requirements of the Data Protection Legislation with regard to the engagement of, and responsibility for, sub-processors;
(f) Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests by data subjects to exercise their rights under the Data Protection Legislation (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing). Where notification of the exercise of such rights is given to the Company, the Company shall notify the Customer without undue delay, but in any case, within 5 days of the request;
(g) Taking into account the nature of the processing and the information available to the Company, assist the Customer in carrying out its obligations under the Data Protection Legislation with respect to security, breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators. Any such assistance required from the Company (by the Customer) in relation to a breach of Data Protection Legislation by the Customer, shall be chargeable by the Company at the then prevailing rates;
(h) Make available to the Customer information that demonstrates its compliance with appropriate Data Protection Legislation and this clause 16, in relation to its obligations as a processor;
(i) Notify the Customer without undue delay but in any event within 48 hours, after becoming aware of a Data Incident.
16.4 If the Company notifies the Customer that, in its opinion, an instruction infringes any applicable Data Protection Legislation, or is of the opinion that an instruction to process personal data is for purposes other than the performance of the relevant Agreement, it will consult with the Customer as soon as reasonably possible. If the Company, after consultation is of the same opinion, it will not be obliged to follow that instruction.
16.5 The Company acknowledges that the personal data belongs to the Customer.
16.6 The engagement of any sub-processor named in the Order Document or other Contract Document for the purposes stated therein is authorised by the Customer and such shall be a general written authorisation for the purposes of the Data Protection Legislation in relation to the purpose for which the sub-processor is engaged.
16.7 Where a sub-processor ceases to trade, becomes insolvent or is in breach of the Data Protection Legislation, the Company may change that sub-processor without reference to the Customer provided that:
(a) it notifies the Customer as soon as practicable and in any event prior to the processing being undertaken;
(b) the replacement sub-processor is reputable and of such size and standing as to be able to fulfil its obligations to the Company without difficulty; and
(c) where requested by the Customer the Company shall provide a summary of the findings of due diligence undertaken in respect of the replacement sub-processor.
16.8 If the Customer objects to the change pursuant to clause 16.7 it may terminate the relevant Agreement (or where practicable, that part of it dealing with the relevant services) on the provision of 6 months’ notice and (unless it can show that the objection was objectively reasonable in the circumstances) subject to the payment, prior to the expiry of that notice, of all outstanding charges for the balance of the Agreement Term.
16.9 Provided that the Company only undertakes the following activities on an aggregated basis using anonymised data which cannot be linked back to the Customer or any individual, nothing in this clause 16 shall restrict or prevent the Company from recording, retaining and using for monitoring, Product improvement, user-experience improvement, statistical analysis or marketing purposes:
(a) any information derived from the Customer or its Representatives access to and use of any Software or Services; or
(b) any information or data stored or processed using the Software or Services.
16.10 Subject to clause 3.1 (c) the Company shall permit the Customer (or a third party authorised by it), to carry out data protection audits and inspections of the Company.
16.11 Without limiting the generality of the foregoing, the Customer shall:
(a) ensure that it, and its Associated Companies, comply with the Data Protection Legislation and all applicable codes of practice in respect of the personal data from time to time, including in its role as a controller and in supplying or making available to the Company any personal data for Processing by the Company in performance of its obligations under the Agreement; and
(b) not instruct the Company to process personal data for purposes other than the performance of the Agreement.
16.12 The Customer warrants to the Company that:
(a) it has all necessary appropriate legal basis and notices in place to enable the lawful transfer of personal data to the Company for the duration and purposes of the Agreement.
(b) all personal data provided to the Company pursuant to the Agreement will be, to the best of its knowledge, accurate and complete in all material respects, and that the Customer is entitled to provide the same to the Company without recourse to any third party; and
(c) the personal data does not and shall not, so far as it is aware, infringe the rights of any third party.
16.13 The Customer acknowledges that the Company is reliant on the Customer for direction as to the extent that the Company is entitled to use and process personal data and that such direction will be set out in the Order Document.
16.14 If either party breaches its obligations under this clause 16 or the Data Protection Legislation it shall indemnify the other from and against any resulting Losses.
16.15 Where it is determined that both the Company and the Customer are involved in the same processing of the data and are jointly and severally liable under Article 82 paragraphs 2 and 3 for damage caused by the processing; no settlement in relation to that damage shall be made without first consulting the other party.
16.16 Upon expiry of the Agreement Term (or early termination however so arising) of the Agreement the Customer shall, within 5 working days of receipt of a request from the Company, provide written instruction to the Company in respect of the return and/or deletion of the data that has been processed under the Agreement. Upon receipt of such instruction the Company shall promptly comply and either:
(a) provide a copy of the Customer’s data as an Oracle export (unless otherwise agreed as part of the exit process and charges) and then securely delete the Customer instance and the data within it; or
(b) securely delete the Customer instance and the data within it.
16.17 The Company shall upon completion of the deletion of the data provide a certificate of destruction to the Customer.
16.18 Where a Customer fails to return the instruction or collect the data extract after a period of 30 days the Company shall delete the Customer's instance and the data within. The Customer warrants that it shall not hold the Company liable for any breach of the Data Protection Legislation or any losses incurred through its failure to provide the instruction at clause 16.16.
Appears in 1 contract
Sources: Master Services Agreement
Data Protection. 22.1 27.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 27.2 The Supplier shall:
22.2.1 Process 27.2.1 process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process 27.2.2 process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Available Services or as is required by Law or any Regulatory Body;
22.2.3 27.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 27.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Supplier Staff who have access to the Personal Data;
22.2.5 27.2.5 obtain prior Approval written consent from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Available Services;
22.2.6 27.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection)27;
22.2.7 27.2.7 ensure that none of Supplier’s Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 27.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 27.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) 27.2.10 permit the Authority or the Authority’s Authority Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Framework Agreement
Data Protection. 22.1 With respect to 1.1 The Parties acknowledge that for the Parties' rights and obligations under this Framework Agreementpurposes of the Data Protection Legislation, the Parties agree that the Authority “Customer” is the Data Controller and that Evolution Internet Ltd, the Supplier “Provider” is the Data Processor. The only processing that the Provider is authorised by the Customer to do is listed in Annex 1 and will not be determined by the Provider.
22.2 1.2 The Supplier shallProvider will notify the Customer immediately if it considers that any of the Customer's instructions infringe the Data Protection Legislation.
1.3 The Provider will provide all a reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
22.2.1 Process (a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
1.4 The Provider will, in relation to any Personal Data processed in connection with
(a) process all Personal Data only in accordance with instructions from Annex 1, unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Provider is required to do otherwise notified by Law. If it is so required the Authority to Provider will promptly notify the Supplier during the Term);
22.2.2 Process Customer before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement appropriate technical and organisational measures (b) ensure that it has in place Protective Measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(i) nature of the Personal Data which is data to be protected;
22.2.4 take (ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(c) ensure that:
(i) the Provider Personnel do not process Personal Data except in accordance with this Agreement (Annex 1);
(ii) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Staff Provider Personnel who have access to the Personal DataData and ensure that they:
(A) are aware of and comply with the Providers duties under this clause;
22.2.5 obtain prior Approval from (B) are subject to appropriate confidentiality undertakings with the Authority in order to transfer the Personal Data to Provider or any Sub-Contractors or Affiliates for the provision of the Servicesprocessor;
22.2.6 ensure that all Supplier Staff required to access the Personal Data (C) are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint Customer or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required as otherwise permitted by the Authoritythis Agreement; and
(D) have undergone adequate training.
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description not transfer Personal Data outside of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without EU unless the prior written consent of the Authority or Contracting Body concerned and, where Customer has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(i) the Customer or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
(iiiv) the Provider complies with any reasonable instructions notified to it in advance by the Authority Customer with respect to the processing of the Personal Data;
(e) at the written direction of the Customer, delete or Contracting Body concernedreturn Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Provider is required by Law to retain the Personal Data.
22.2.11 The Supplier shall comply at all times with 1.5 Subject to clause 1.6, the Provider will notify the Customer immediately if it:
(a) receives a Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such Subject Access Request (or purported Data Subject Access Request);
(b) receives a way as request to cause the Authority rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to breach any of its applicable either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.
1.6 The Providers obligation to notify under clause 1.5 will include the provision of further information to the Customer in phases, as details become available.
1.7 Taking into account the nature of the processing, the Provider will provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
(a) the Customer with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Customer following any Data Loss Event;
(e) assistance as requested by the Customer with respect to any request from the Information Commissioners Office or any consultation by the Customer with the Information Commissioner's Office.
1.8 The Provider will maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Provider employs fewer than 250 staff, unless:
(a) the Customer determines that the processing is not occasional;
(b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
1.9 The Provider will allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor.
1.10 The Provider has a designated data protection officer if the Customer requires details of this individual they should contact the Provider.
1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Provider will:
(a) notify the Customer in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Customer;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Schedule such that they apply to the Sub-processor; and
(d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.
1.12 The Provider shall remain fully liable for all acts or omissions of any Sub- processor.
1.13 The Provider may, at any time on not less than 30 Working Days’ notice, revise this addendum by replacing it with any applicable clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Provider may on not less than 30 Working Days’ notice to the Customer amend this agreement to ensure that it complies with any Guidance issued by the Information Commissioner’s Office.
1.15 The Provider’s Terms of Service (Annex 2) state the roles and responsibilities of both the Provider and the Customer when using the system.
Appears in 1 contract
Sources: Data Processing Agreement
Data Protection. 22.1 With respect 16.1. In relation to any Personal Data processed in performance of the Services, each party shall comply with its respective obligations under the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679, Directive 95/46/EC and any successor legislation (“Data Protection Laws”). In this regard, Asite acts as Customer’s or Authorised Users ‘data processor’ (the terms ‘data processor’, ‘data subprocessor’ and ‘data controller’ having the meaning given to the Parties' rights term "controller" and obligations under this Framework Agreement"processor" (respectively) in Article 4 of the UK GDPR with the Customer’s Customer acting as the data controller, the Parties agree Customer acting as the data processor and Asite acting as subprocessor). Both parties will ensure that the Authority any data and/or any Personal Data processed pursuant to this Agreement (including where any third parties are used to process any Personal Data) is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallso processed in conformance with:
22.2.1 Process 16.1.1. Asite’s technical and security measures (which policies shall be available in electronic form within the Site from time to time) to protect such Personal Data only against accidental loss or unlawful destruction, alteration, disclosure or access;
16.1.2. Customer’s or Authorised User’s express instructions (provided they are reasonable and in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified applicable law); and
16.1.3. All data held by the Authority to Asite platform is held securely in data centres based in the Supplier during the Term);United Kingdom.
22.2.2 Process the Personal Data only to the extent, 16.2. Asite shall at all times implement and in such manner, as it necessary for the provision of the Services or as is required by Law or any Regulatory Body;
22.2.3 implement maintain appropriate technical and organisational measures to protect the Personal Data against accidental, unauthorised or unlawful Processing and against accidental destruction, loss, destructionalteration, damage, alteration disclosure or disclosureaccess.
16.3. These measures Asite shall be appropriate (at its own expense) promptly provide such information and assistance as the Customer may reasonably require in relation to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature fulfilment of the Personal Customer’s obligations to respond to requests for exercising the data subject’s rights under Chapter III of the General Data Protection Regulation (EU) 2016/679 (and any similar obligations under applicable Data Protection Laws).
16.4. Asite shall indemnify and keep indemnified at its own expense the Customer against all claims, liabilities, damages, administrative fines, costs or expenses incurred by the Customer or for which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data Customer may become liable due to any Subfailure by Asite (as sub-Contractors processor or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required its subcontractors, agents or personnel) to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint its obligations under this agreement or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation Laws including but not limited to any complaint data breaches. Notwithstanding the provision under this clause 16.4, the liability of Asite in respect of all claims under this clause shall be limited to £1,000,000 (one million pounds).
16.5. Asite shall indemnify Customer against all claims, liabilities, damages, administrative fines, costs or request madeexpenses occurred by the Customer due to loss or damage or corruption or destruction of data resulting from any act or omission of Asite or any malfunction if its platform.
16.6. Asite shall maintain complete, including by:
(a) providing the Authority with full details accurate and up-to-date written records of all categories of processing activities carried out on behalf of the complaint or Customer and such records shall be made available to Customer upon written reasonable request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Master Services Agreement
Data Protection. 22.1 With respect 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Council is the Controller and the Service Provider is the Processor. The only processing that the Provider is authorised to do is listed in Schedule 3 (Processing, Personal Data and Data Subjects) by the Council and may not be determined by the Contractor.
17.2 The Service Provider shall notify the Council immediately if it considers that any of the Council's instructions infringe the Data Protection Legislation.
17.3 The Service Provider shall provide all reasonable assistance to the Parties' Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Council, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
17.4 The Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement, the Parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shallcontract:
22.2.1 Process the a. process that Personal Data only in accordance with instructions from Schedule 3 (Processing, Personal Data and Data Subjects), unless the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as Service Provider is required to do otherwise notified by Law. If it is so required the Authority to Service Provider shall promptly notify the Supplier during the Term);
22.2.2 Process Council before processing the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required unless prohibited by Law or any Regulatory BodyLaw;
22.2.3 implement b. ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate technical and organisational measures to protect the Personal against a Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and Loss Event having regard to the taken account of the:
(a) nature of the Personal Data which is data to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure (b) harm that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request might result from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructionsLoss Event;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritystate of technological development; and
(d) providing the Authority with cost of implementing any information requested by the Authoritymeasures;
22.2.10 The Supplier shallc. ensure that:
(aI) permit the Authority or the AuthorityService Provider’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed by the Supplier for Processing Staff do not process Personal Data except in accordance with this contract (within the timescales required by the Authority); and
and in particular Schedule 3 (c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Processing, Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(iand Data Subjects) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concerned.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.;
Appears in 1 contract
Data Protection. 22.1 With respect to 26.1 Both the Parties' rights Executive and the Provider shall comply with their statutory obligations under Data Protection Laws. In this Framework Agreementregard, in so far as the Parties agree that the Authority is the Data Controller Provider obtains and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority processes personal data relating to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extent, and in such manner, as it necessary for the provision of the Services or as is required by Law Service Users or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect other persons in the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature course of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that , it shall comply with its obligations as a “data controller” under Data Protection Laws and with all Supplier Staff required to access the Personal Data are informed of the confidential nature rules and policies governing the collection, retention, use, disclosure, security and deletion of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales information as may be set out in the Codes of Practice from time to time. Where the Executive provides personal data to the Provider, the Provider represents and undertakes to the Executive that it shall use, process and disclose such data only for the purposes permitted under this Arrangement. Where the Provider acts as a data processor of the Executive and there is no existing contractual arrangement (i.e. in the form of the HSE Data Processing Agreement (“DPA”) available on the Executive’s website) in place between the Executive and the Provider governing a relevant processing activity or activities, then the specific Data Sharing Terms available on the Non-Statutory Section of the Executive’s website at ▇▇▇.▇▇▇.▇▇/▇▇▇/▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇▇▇/▇▇▇- statutory-sector/ (the “Terms”) shall apply.
26.2 Without prejudice to the Executive’s rights under Clause 8.4 (Audit and Information) and Clause 10 (Access Rights) and the obligations of the Provider under Clause 8.6 (Other Information Obligations), the Provider acknowledges that the disclosure of personal data to the Executive by the Provider may be required pursuant to an enactment (including but not limited to the Health Acts, Data Protection Legislation Laws or pursuant to the laws referred to in Clauses 23.4(f) and in accordance with 23.6 of this Arrangement). In those circumstances, the Authority's instructions;Provider will provide such data to the Executive as soon as possible following a written request from the Executive.
(c) providing the Authority with any Personal Data 26.3 The Provider shall ensure that it holds in relation to a Data Subject (within the timescales has obtained all approvals, authorisations and permissions which are required by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority law to enable the Authority Provider to verify and/or procure that the Supplier access and disclose any personal data which is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description of the technical and organisational methods employed sought by the Supplier for Processing Personal Data (within the timescales Executive other than where such disclosure is required pursuant to an enactment, rule of law or by the Authority); and
(c) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned and, where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations order of a Data Controller under court.
26.4 Without prejudice to Clause 17 (Complaints) of this Arrangement, the Eighth Data Protection Principle set out in Schedule 1 Provider shall inform the Executive if it receives any written communication from the Office of the Data Protection Act 1998 by providing an adequate level Commissioner or equivalent office in another jurisdiction in connection with any Service User or the Services (including for the avoidance of protection doubt, if it relates to a personal data breach or complaint concerning the Executive’s patient data or IT system) and, in responding to such communications, the Provider shall have regard to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it views or representations provided by the Authority or Contracting Body concernedExecutive in relation thereto.
22.2.11 26.5 The Supplier shall comply at Provider will promptly (and in any event within twenty-four (24) hours) inform the Executive of any actual or suspected breach of security which would give rise to the actual or potential loss, theft, unauthorised release or disclosure of information (where unauthorised disclosure of information relates to the Executive) or any part thereof (the relevant person in the Executive to be promptly informed is the “Key Contact Person” named in paragraph A of Section 1 (Contact Details) of the HPSR. In such an event, the Provider will immediately supply the Executive with all times relevant facts surrounding the actual or suspected breach. In the event that the Provider enters into any communication with the Office of the Data Protection Legislation and shall not perform its obligations under this Framework Agreement Commissioner or equivalent office in such another jurisdiction including by way of example, the notification of a way breach of the DPA, the DSA or the Terms, as to cause applicable, the Authority to breach any of its applicable obligations under Provider will inform the Data Protection LegislationExecutive as soon as possible.
Appears in 1 contract
Sources: Service Arrangement
Data Protection. 22.1 With respect to the Parties' rights and obligations under this Framework Agreement, the Parties agree that the Authority is 18.1 Both parties will comply with all applicable requirements of the Data Controller and that the Supplier Protection Legislation. This clause 18 is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term);
22.2.2 Process the Personal Data only to the extentaddition to, and in such mannerdoes not relieve, as it necessary for the provision of the Services remove or as is required by Law or any Regulatory Body;
22.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental lossreplace, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
22.2.4 take all reasonable steps to ensure the reliability of any Supplier’s Staff who have access to the Personal Data;
22.2.5 obtain prior Approval from the Authority in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receives:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint or request relating to the Authorityparty's obligations under the Data Protection Legislation;.
22.2.9 provide 18.2 The parties acknowledge that for the Authority with full cooperation purposes of the Data Protection Legislation, the Council is the data controller and assistance the Provider is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Appendix 4 of the Individual Services Contract terms and conditions sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.
18.3 Without prejudice to the generality of clause 18.1, the Council will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this agreement.
18.4 Without prejudice to the generality of clause 18.1, the Provider shall, in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out Personal Data processed in the Data Protection Legislation and in accordance connection with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required performance by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those Provider of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementagreement:
18.4.1 process that Personal Data only on the written instructions of the Council unless the Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Provider to process Personal Data (Applicable Laws). Where the Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Provider shall promptly notify the Council of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Council;
18.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (b) provide those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a written description timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational methods employed measures adopted by the Supplier for Processing it);
18.4.3 ensure that all personnel who have access to and/or process Personal Data (within are obliged to keep the timescales required by the Authority)Personal Data confidential; and
(c) 18.4.4 not cause or permit to be Processed and/or otherwise transferred transfer any Personal Data outside of the European Economic Area any Personal Data supplied to it by the Authority or any Other Contracting Body without unless the prior written consent of the Authority or Contracting Body concerned and, where Council has been obtained and the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply withfollowing conditions are fulfilled:
(ia) the Council or the Provider has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) the Provider complies with its obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iid) any the Provider complies with reasonable instructions notified to it in advance by the Authority or Contracting Body concerned.Council with respect to the processing of the Personal Data;
22.2.11 The Supplier shall comply 18.4.5 assist the Council, at all times the Council’s cost, in responding to any request from a Data Subject and in ensuring compliance with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection LegislationLegislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
18.4.6 notify the Council without undue delay on becoming aware of a Personal Data breach;
18.4.7 at the written direction of the Council, delete or return Personal Data and copies thereof to the Council on termination of the agreement unless required by Applicable Law to store the Personal Data; and
18.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 18 and allow for audits by the Council or the Council’s designated auditor.
18.5 The Council does not consent to the Provider appointing any third party processor of Personal Data under this Services Agreement.
18.6 The Provider may, at any time on not less than 30 days’ notice, revise this clause 18 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Services Agreement).
Appears in 1 contract
Sources: Services Agreement
Data Protection. 22.1 With respect 17.1 Each party undertakes that it shall comply (and shall require that its Staff comply) with the Privacy and Data Protection Requirements and that it has an appropriate registration or notification with all and any relevant data protection authorities.
17.2 Where a party is to the Parties' rights and obligations be a Processor of Personal Data under this Framework AgreementAgreement on behalf of the other party, the Parties agree other party being a Controller in respect of that Personal Data, then the Authority party who is the Data Controller and that the Supplier is the Data Processor.
22.2 The Supplier shall:
22.2.1 Process Processor shall in relation to the Personal Data provided by the Controller:
(a) procure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of such Personal Data and against accidental loss or destruction of, or damage to, such Personal Data, taking into account the nature of the Personal Data;
(b) in relation to such Personal Data, act only in accordance with instructions from on the Authority (which may be specific instructions or documented instructions of a general nature the Controller as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term)documented in writing;
22.2.2 Process the (c) process such Personal Data only to the extent, and in such manner, as it is necessary for the provision purposes of the Services or as is required by Law or any Regulatory Bodythis Agreement;
22.2.3 implement (d) operate appropriate technical security procedures, processes and organisational measures systems to protect the ensure that unauthorised persons do not have access to any equipment used to process such Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protecteditself;
22.2.4 take all (e) use reasonable steps endeavours to ensure the reliability of any Supplier’s its Staff who have with access to the such Personal Data and ensure that all such staff are under obligations of confidentiality in relation to such Personal Data;
22.2.5 (f) obtain prior Approval written consent from the Authority in order to transfer the Controller before transferring such Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 sub- contractor and ensure that all Supplier Staff required any such sub- contractor is engaged on a written agreement giving commitments in relation to access the processing of such Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations no less onerous than set out in this Clause 22 (Data Protection)Agreement. The Processor shall remain liable to the Controller for the acts of any such sub-contractor in relation to such Personal Data;
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any (g) not transfer such Personal Data outside the EEA without the consent of the Controller;
(h) provide reasonable assistance to the Controller to assist the Controller to meet a request or complaint made by a Data Subject in respect of such Personal Data in order to meet the requirements of Chapter III of the General Data Protection Regulation (Regulation (EU) 2016/679) in respect of Data Subject rights;
(i) provide reasonable assistance to the Controller to demonstrate compliance with this clause 16.5 and allow for and contribute to inspections conducted by the Data Controller;
(j) notify the Controller if, in its opinion, an instruction given by the Controller breaches the General Data Protection Regulation (Regulation (EU) 2016/679); and
(k) on termination of this Agreement or the end of the carrying out of data processing, delete or return all such Personal Data to the Controller and delete existing copies unless required by law 18 LIMITATION OF LIABILITY
18.1 This clause 18 sets out the entire financial liability of Zivio (including any third party unless directed in writing liability for the acts or omissions of its employees, agents and sub-contractors) to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receivesClient:
(a) a request from a Data Subject to have access to that person's Personal Data; or
(b) a complaint arising under or request relating to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority in connection with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or requestthese Terms;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with respect of any Personal Data it holds in relation to a Data Subject (within the timescales required use made by the Authority; and
(d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement;
(b) provide a written description Client of the technical Software, Services and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Authority)Documentation or any part of them; and
(c) in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with these Terms.
18.2 Subject to clause 18.4, Zivio shall not cause be liable to the Client in contract, misrepresentation, restitution or permit to be Processed otherwise for any loss of profits, loss of business, depletion of goodwill and/or otherwise transferred outside the European Economic Area similar losses or loss or corruption of data or information, or pure economic loss, or for any Personal Data supplied to it by the Authority special, indirect or any Other Contracting Body without the prior written consent consequential loss, costs, damages, charges or expenses however arising under these Terms.
18.3 Zivio's total aggregate and maximum liability, in contract (including in respect of the Authority indemnity at clause 16.2), tort (including negligence or Contracting Body concerned andbreach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of these Terms shall be limited to the total Subscription Fees paid to Zivio during the three (3) continuous months immediately preceding the date on which the Claim arose.
18.4 Nothing in this clause 18 shall however exclude or restrict ▇▇▇▇▇’s liability for
(a) fraudulent misrepresentations;
(b) any liability where the Authority or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations law does not permit such exclusion of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferredliability; and
(iic) any reasonable instructions notified to it by the Authority death or Contracting Body concernedpersonal injury arising from negligence.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and 18.5 Zivio shall not perform be in breach of any of its obligations under this Framework Agreement in such a way as these Terms which arise or occur due to cause the Authority act, omission, and default of the Client or your failure to breach comply with any of its applicable obligations under these Terms.
18.6 Except as expressly set out in these Terms:
(a) the Data Protection LegislationSoftware, Documentation, Services and anything else supplied or provided by Zivio under this Agreement to the Client are done so on an ‘as is’ basis. The Client acknowledges that the service may be subject to limitations, delays and other problems inherent in the use of such communications facilities;
(b) the Client assume sole responsibility for the results obtained from the use of the Services and the Documentation and for conclusions drawn from such use; and
(c) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from these Terms.
18.7 No action arising out of or in connection with these Terms may be brought by the Client more than 12 Months after the date of the event from which the Claim (or last of a series of related Claims) arose.
Appears in 1 contract
Sources: Services Agreements
Data Protection. 22.1 With respect 12.1 Each party shall comply with Data Protection Law to the Parties' rights extent applicable to it.
12.2 Each party acknowledges and obligations under this Framework Agreementagrees that:
12.2.1 each party acts as an independent controller of personal data relating to Customer Representatives; and
12.2.2 OneMSP acts as the Customer’s processor of personal data to the extent that it processes personal data in the course of providing Products, for instance personal data shown on screen during a remote support session or stored on infrastructure managed by OneMSP.
12.3 Each party shall provide reasonable assistance and information to the other party on written request in relation to any request, complaint or query made by a data subject of personal data processed in relation to or due to the provision of the Products, or by any supervisory authority.
12.4 Except to the extent otherwise agreed on the Order, the Parties parties agree that that, where OneMSP acts as the Authority Customer’s processor, the following description applies to OneMSP’s processing of the Personal Data:
12.4.1 the subject matter, nature and purpose of the processing is the Data Controller provision of managed IT services to the Customer and that it’s users;
12.4.2 the Supplier categories of data subjects are the Customer’s personnel;
12.4.3 the category of personal data processed is the Data Processorcontact details of the Customer’s personnel used in the provision of support, and such personal data that is shown on those users’ screen whilst OneMSP is providing remote support; and
12.4.4 the duration of processing is the Term, (the “Description of Processing”).
22.2 The Supplier 12.5 Where OneMSP processes personal data on behalf of the Customer as the Customer’s processor pursuant to this Agreement (“Personal Data”), or uses a sub-contractor to do so, OneMSP shall:
22.2.1 Process 12.5.1 process the Personal Data only in accordance with on behalf of the Customer and only for the purposes of performing its obligations under the Agreement, which the parties agree are, taken together, the Customer’s written instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during for processing the Term)Personal Data;
22.2.2 Process 12.5.2 ensure that all persons with access to the Personal Data only are subject to the extent, and in such manner, as it necessary for the provision an obligation of the Services confidentiality or as is required by Law or any Regulatory Bodyare under an appropriate statutory obligation of confidentiality;
22.2.3 12.5.3 implement appropriate the technical and organisational measures required by Article 32 GDPR, taking into account the Description of Processing;
12.5.4 only engage a sub-processor, or disclose Personal Data to protect a sub-processor, if either they are named in the Sub-Processor List as at the Effective Date or where:
(a) the Supplier has added such sub-processor to the Sub-Processor List (for which the Customer may subscribe to email updates via the Sub-Processor List); and
(b) the Customer has not objected to such appointment within seven days of the sub-processor being added to the Sub-Processor List, provided that any such objection must be based upon reasonable evidence (which the Customer shall provide to the Supplier) that the appointment of such sub- processor would materially reduce the level of security of the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate Data;
12.5.5 where the Customer objects to the harm appointment of a sub-processor pursuant to clause 12.5.4(B), at its option by giving the Customer notice of its intention, do one of the following:
(a) propose a different sub-processor (such sub-processor’s appointment still subject to clause 12.5.4); or
(b) modify the Services or the way in which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage they are provided to the Personal Data and having regard to the nature avoid processing of the Personal Data which is to be protectedby that sub-processor, provided that such modification does not materially degrade the Services;
22.2.4 take all reasonable steps 12.5.6 when appointing a sub-processor:
(a) ensure that the sub-processor complies with Data Protection Laws;
(b) engage the sub-processor on a written agreement giving commitments in relation to ensure the reliability processing of any Supplier’s Staff who have access the Personal Data no less onerous on the sub- processor than this clause 12.5 is on OneMSP; and
(c) remain liable to the Customer for the acts and omissions of the sub- processor in relation to the Personal Data;
22.2.5 obtain prior Approval from 12.5.7 taking into account the Authority nature of the processing and the information available to OneMSP, and at the Customer’s cost, provide the Customer with such information that it requires in order to transfer the Personal Data to any Sub-Contractors or Affiliates for the provision of the Services;
22.2.6 ensure that all Supplier Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 22 (Data Protection);
22.2.7 ensure that none of Supplier’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
22.2.8 notify the Authority within five (5) Working Days if it receiveswith:
(a) Articles 32, 35 and 36 GDPR; and
(b) Chapter III GDPR, in each case provided that such information has not already been provided to the Customer by OneMSP;
12.5.8 in the event that it becomes aware that it has experienced a request from a personal data breach in respect of such Personal Data:
(a) notify the Customer without undue delay after becoming aware of that personal data breach, providing as much information about the nature and impact of it, including the specific categories of Personal Data Subject affected by it, as OneMSP is reasonably able to have access provide (the Customer acknowledges that such information may be provided in stages as the OneMSP’s investigation proceeds, if it is reasonable to that person's do so); and
(b) support and co-operate with the Customer in collecting the information needed by the Customer to comply with its notification obligations under Data Protection Laws to the relevant supervisory authorities and affected data subjects, as the Customer reasonably requires;
12.5.9 at the Customer’s option, delete or return to the Customer the Personal Data when it ceases to provide the relevant Services, including all copies of it unless either:
(a) applicable law requires OneMSP to retain the Personal Data; or
(b) a complaint OneMSP requires such Personal Data in connection with actual or request relating potential legal proceedings;
12.5.10 only transfer the Personal Data outside of the European Economic Area in compliance with Data Protection Laws;
12.5.11 make available to the Authority's obligations under the Data Protection Legislation;
22.2.9 provide the Authority Customer such information that it reasonably requests where that information is necessary to demonstrate OneMSP’s compliance with full cooperation and assistance in relation to any complaint or request made, including by:
(a) providing the Authority with full details of the complaint or request;
(b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
(c) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authoritythis clause 12.5; and
12.5.12 allow the Customer, or its external auditor which is not a direct competitor of OneMSP (d) providing the Authority with any information requested by the Authority;
22.2.10 The Supplier shall:
(a) permit the Authority or the Authority’s Representative (and subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit, the Supplier's audit OneMSP’s data Processing processing activities (and/or and those of its agentsrelevant Affiliates, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreementclause 12.5Error! Reference source not found., provided that:
(a) such right of audit shall not be exercised by the Customer more than once each year, unless specifically required by a supervisory authority of competent jurisdiction;
(b) provide a the Customer gives OneMSP not less than 30 days’ prior written description notice of its intention to so audit, unless the Customer has reasonable grounds to suspect non-compliance with this clause 12.5;
(c) the Customer uses or procures that its auditor uses all reasonable efforts to avoid disruption to OneMSP’s business or operations;
(d) neither the Customer nor its auditor will thereby be entitled to access to any data of any other customer of OneMSP, or direct access to any of the technical Supplier’s or its Affiliates’ systems, unless specifically ordered otherwise by a supervisory authority of competent jurisdiction;
(e) any and organisational methods employed by all information thereby coming into the Supplier possession of the Customer or its auditor will be the confidential information of OneMSP or its relevant Affiliate and the Customer will not use or allow it to be used for Processing Personal Data (within the timescales any other purposes whatsoever and will not disclose, and will procure that is not disclosed, to any third party unless required by the Authority)law; and
(cf) not cause or permit to be Processed and/or otherwise transferred outside the European Economic Area Customer reimburses OneMSP for any Personal Data supplied to costs reasonably incurred by it by the Authority or any Other Contracting Body without the prior written consent of the Authority or Contracting Body concerned andand its relevant Affiliates, including for its personnel’s time, except where the Authority audit identifies a material breach of this clause 12.5 by OneMSP or Other Contracting Body concerned consents to Processing and/or transfer outside the European Economic Area, to comply with:
(i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Authority or Contracting Body concernedits relevant Affiliates.
22.2.11 The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.
Appears in 1 contract
Sources: Terms and Conditions