Common use of Data Retention and Disposal Clause in Contracts

Data Retention and Disposal. The Data Processor shall: (a) promptly upon termination or expiry of this Agreement and, at any other time, on request by the Data Controller, return to the Data Controller or delete all Personal Data, including that of employees of the Data Controller, together with all copies thereof in any media in its power, possession or control, except to the extent the Data Processor is required to retain a copy of such Personal Data to comply with Data Protection Legislation. (b) promptly upon becoming aware of the same and without undue delay, notify the Data Controller of any actual or suspected incident of accidental, unauthorised, or unlawful destruction or disclosure of or access to Personal Data, including where Personal Data is lost or destroyed, becomes damaged, corrupted or unusable and shall provide all co- operation and information reasonably required by the Data Controller in relation to the incident; including: I. description of the nature of such incident, including the categories and approximate number of both Data Subjects and Personal Data records concerned; II. the likely consequences; and III. description of the measures taken and corrective action, or proposed to be taken to address such incident, including measures to mitigate its possible adverse effects, unless such action or measures are contrary to the law. The Data Processor shall provide such corrective action and measures at its own expense. (c) immediately following any accidental, unauthorised, or unlawful incident, the Parties will co-ordinate with each other to investigate the matter. The Data Processor will co-operate with the Data Controller in the Data Controller's handling of the matter, including: I. assisting with any investigation; II. providing the Data Controller with physical access to any facilities and operations affected; III. facilitating interviews with the Data Processor's employees, former employees and others involved in the matter; IV. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Data Controller; and V. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from such incident or unlawful Personal Data processing. (d) The Data Processor will not inform any third party of any such incident without first obtaining the Data Controller's prior written consent, except when required to do so by law. (e) The Data Processor agrees that the Data Controller has the sole right to determine: I. whether to provide notice of such incident to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Data Controller's discretion, including the contents and delivery method of the notice; and II. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. (f) The Data Processor will cover all reasonable expenses associated with the performance of the obligations under clause 1.2.5 of this Agreement unless the matter arose from the Data Controller's negligence, wilful default or breach of this Agreement. (g) The Data Processor will also reimburse the Data Controller for actual reasonable expenses that the Data Controller incurs when responding to such incident to the extent that the Data Processor caused such incident, including all costs of notice and any remedy.

Data Retention and Disposal. The Data Processor shall: (a) promptly upon termination or expiry of this Agreement and, at any other time, on request by the Data Controller, return to the Data Controller or delete all Personal Data, including that of employees of the Data Controller, together with all copies thereof in any media in its its/her/his power, possession or control, except to the extent the Data Processor is required to retain a copy of such Personal Data to comply with Data Protection Legislation. (b) promptly upon becoming aware of the same and without undue delay, notify the Data Controller of any actual or suspected incident of accidental, unauthorised, or unlawful destruction or disclosure of or access to Personal Data, including where Personal Data is lost or destroyed, becomes damaged, corrupted or unusable and shall provide all co- co-operation and information reasonably required by the Data Controller in relation to the incident; including: I. description of the nature of such incident, including the categories and approximate number of both Data Subjects and Personal Data records concerned; II. the likely consequences; and III. description of the measures taken and corrective action, or proposed to be taken to address such incident, including measures to mitigate its its/his/her possible adverse effects, unless such action or measures are contrary to the law. The Data Processor shall provide such corrective action and measures at its its/his/her own expense. (c) immediately following any accidental, unauthorised, or unlawful incident, the Parties will shall co-ordinate with each other to investigate the matter. The Data Processor will shall co-operate with the Data Controller in the Data Controller's handling of the matter, including: I. assisting with any investigation; II. providing the Data Controller with physical access to any facilities and operations affected; III. facilitating interviews with the Data Processor's employees, former employees and others involved in the matter; IV. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Data Controller; and V. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from such incident or unlawful Personal Data processing. (d) The Data Processor will shall not inform any third party of any such incident without first obtaining the Data Controller's prior written consent, except when required to do so by law. (e) The Data Processor agrees that the Data Controller has the sole right to determine: I. whether to provide notice of such incident to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Data Controller's discretion, including the contents and delivery method of the notice; and II. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. (f) The Data Processor will shall cover all reasonable expenses associated with the performance of the obligations under clause 1.2.5 this Clause 14.2.5 of this Agreement unless the matter arose from the Data Controller's negligence, wilful default or breach of this Agreement. (g) The Data Processor will shall also reimburse the Data Controller for actual reasonable expenses that the Data Controller incurs when responding to such incident to the extent that the Data Processor caused such incident, including all costs of notice and any remedy.