Common use of Data Security Incident Clause in Contracts

Data Security Incident. 4.1 The Company shall notify the Customer (in writing) without undue delay, after the Company has become aware of, or has come to have reasonable grounds to suspect, the occurrence of any Personal Data Breach or other incident prejudicing, or revealing a weakness in, the security of the Processed Personal Data while in its possession or under its control (a "Data Security Incident"). 4.2 The Company’s notification shall (to the extent reasonably possible): (a) describe the nature and the origin of the Data Security Incident including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Processed Personal Data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the breach; (d) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Said notification shall be sent along with any necessary documentation to enable the Customer, where necessary, to notify this breach to the competent supervisory authority. 4.3 In addition, in case of a Data Security Incident, the Company shall: (a) take reasonable steps to identify and correct the underlying cause of the Data Security Incident so as to eliminate or minimise the risk of its repetition and the occurrence of similar Data Security Incidents and update the Customer about the implementation of these measures at regular intervals and until completion; and (b) take such steps as the Customer may reasonably request to assist the Customer in addressing the adverse consequences of the Data Security Incident for the Customer and its affiliates, in particular as regards compliance issues it may trigger with respect to Data Protection Legislation. 4.4 Unless required to do so by any applicable law, the Company shall not communicate with any data protection authority nor any Data Subjects about the existence or the risk of a Personal Data Breach affecting the Processed Personal Data without the Customer’s specific prior written consent (such consent not to be unreasonably withheld or delayed).