Duties of the Processor Clause Samples

Duties of the Processor. 3.1 The Processor may collect, process or use Personal Data only within the framework of this DPA and the Instructions given by the Controller. Material changes to the object of data processing and changes to the procedures must be agreed jointly and must be documented. While Processor will not refuse any legally compliant Instruction by Controller, Controller acknowledges and accepts that some Instructions may result in additional remuneration claims for Processor. Processor will inform Controller accordingly prior to executing the Instruction. At any time and without limiting Processor’s claim to additional fees, Controller may waive this right to be informed in prior, e.g. in urgent cases. 3.2 The Processor shall structure Processor's internal organization in a manner that is compliant with the specific requirements of the applicable Data Protection Regulations for the protection of Personal Data,. Processor shall take the appropriate technical and organizational measures to adequately protect Controller's Personal Data against misuse and loss in accordance with the applicable legal requirements in accordance with Applicable Data Protection Laws 3.3 The Processor shall provide the Controller with a summary of the technical and organizational measures , which is attached hereto as Annex 1. Controller understands that the technical and organizational measures are subject to technical progress and further development. In this respect, the Processor shall be permitted to use alternative, suitable measures. 3.4 Upon request, the Processor shall provide the Controller with information necessary for creating the processing description in accordance with Applicable Data Protection Laws. 3.5 The Processor shall provide that the personnel it uses for processing the Controller's data are bound by legal obligations to maintain data secrecy, and that they are informed about other applicable provisions concerning the protection of Personal Data, in particular telecommunications secrecy. The obligation to maintain data secrecy continues to apply after termination of their work contract. 3.6 The Processor shall provide the contact details of the Processor’s data protection officer (DPO) on the internet. As of the effective date of this DPA, the DPO’s current contact details can be found on the Controllers website. 3.7 The Processor shall inform the Controller in the case of breaches of regulations that protect the Controller's Personal Data or of if Controller's Instru...

Duties of the Processor. 1. Any processing of personal data shall be carried out exclusively in accordance with the provisions of the Main Agreement and any instructions issued by the Customer. This also applies to the transfer of personal data to a third country or international organization. This paragraph 1 shall not apply where the Processor is obliged to process personal data by the law of the Union or of the Member States to which it is subject, in which case the Processor shall notify the Customer of these legal requirements prior to processing, unless the law concerned prohibits such notification on grounds of an important public interest. 2. The Processor confirms that it is not legally obliged to appoint a data protection officer within the meaning of the GDPR. In its place, the Processor shall appoint a contact person for the Customer for all data protection issues and the implementation of this contract. 3. The Processor shall bind any person authorized to process personal data to confidentiality unless they are already subject to an appropriate statutory duty of confidentiality. The scope of the obligation shall be in reasonable proportion to the data processed and the consequences of any breach of the protection of personal data. Any further obligations resulting from a separate confidentiality agreement concluded between the parties shall remain unaffected. 4. Upon request, the Processor shall provide its records of processing activities in respect to the processing for the Customer. 5. Taking into account the type of processing and the information available to the Processor, the Processor shall assist the Customer in complying with the obligations set out in Articles 32 to 36 GDPR. To this end, the Processor shall in particular provide the services provided for in this Agreement. 6. As far as necessary, the Processor shall support the Customer in carrying out a data protection impact assessment in accordance with Article 35 GDPR and shall provide the Customer with all information required for this from its sphere. The Processor shall be obligated accordingly if the Customer is required to conduct a prior consultation with a supervisory authority in accordance with Article 36

Duties of the Processor. ‌ (1) The Processor will process personal data exclusively as contractually agreed upon or as instructed by the Controller unless the Processor is legally obligated to carry out specific processing. (2) The Processor acknowledges all relevant and general data protection regulations. The Processor observes the legal principles of data processing. (3) Persons who could obtain knowledge of the processing data in connection with this Agreement are obligated in writing to confidentiality and have been made aware of the relevant provisions of data protection and this Agreement. (4) In connection with processing within this Agreement, the Processor will support the Controller in fulfilling the legal obligations of data protection, especially in preparing and updating records of processing activities, carrying out data protection impact assessments and necessary consultation with supervisory authorities. The Processor is to retain and provide the necessary details and doc- umentation to the Controller immediately upon request. (5) If the Controller subject to inspection or requests for information from supervisory authorities or other bodies, or if data subjects assert their rights, the Processor shall support the Controller inso- far as it involves the processing in this Agreement. (6) The Processor may provide information to third parties or to data subjects only after prior approval is given by the Controller. The Processor will forward any directly received requests immediately to the Controller. (7) Processing is to be conducted exclusively within the EU or the European Economic Area.

Duties of the Processor. 3.1. The Processor shall process the Personal Data (“Data”) on behalf of the Controller as established by the applicable law and, in particular, by the GDPR. 3.2. The Processor acts according to the instructions of the Controller, as below.

Duties of the Processor. 3.3.1. to process the Data exclusively for the purposes of the processing carried out on behalf of the Controller; 3.3.2. to process the data according to the written instructions of the Controller, as set out in the Agreement. Furthermore, if the Processor has to transfer data to a third (non-EU) country or to a third party organisation, in accordance with European Union law or a Member State law to which the Processor is subject, the Processor shall inform the Controller of this legal requirement before processing, unless that law prohibits such information for public interest reasons; 3.3.3. to guarantee the confidentiality of the Data processed under the Agreement; 3.3.4. to inform the Controller without undue delay of any substantial change that has affected the security measures regarding the processing; 3.3.5. to guarantee that the personnel authorised to process the Data under the Agreement: 3.3.5.1. respects confidentiality or is subject to an adequate obligation of confidentiality; 3.3.5.2. receives the necessary training on data protection; 3.3.5.3. does not process data except on indication and according to the instructions of the Processor; 3.3.6. to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and ensures the protection of data subject rights; 3.3.7. to immediately inform the Controller of any request and/or inspection by the Data Protection Authority regarding the processing of Data carried out pursuant to the Agreement. In the case of controls at the offices of the Processor, the latter agrees that a person specifically appointed for this purpose by the Controller shall be present at the time of the check by the proceeding Data Protection Authority (“DPA”); 3.3.8. to respect all the obligations established by article 6 below in the event of a data breach; 3.3.9. to collaborate according to the instructions of the Controller in the case of a citation, injunction, formal notification or any other decision from the DPA or any other competent Authority or assist the Controller in preparing the responses to the said Authorities; 3.3.10. except as indicated below, not to transfer or communicate all or part of the data processed to another person or body, even free of charge.

Duties of the Processor. 1. The Processor undertakes to adhere to all legally applicable requirements concerning the processing of entrusted data, including requirements set out in GDPR, the Act, or regulations implementing the Act, and in particular undertakes to: a) process the entrusted data in a manner ensuring the adequate protection of this data, including by means of adequate technical and organizational means, and ensure their protection against unauthorized or unlawful processing, accidental loss, damage or destruction, b) implement adequate technical and organizational means to ensure the protection level appropriate for the risk level, taking into account the state of technical know-how, cost of implementation and nature, scope, context and aims of processing, c) assessing if the protection level is appropriate - provide adequate analysis of risk of breaching the right and liberty of persons who the data refers to. In this analysis the Processor is obliged to take into account the risk related to processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transferred, stored or processed in any other manner, d) allow processing the entrusted data only to person authorized to process the personal data by the Processor and ensure confidentiality (referred to in art. 28 section 2 letter b) of GDPR) of data processing by these persons, both in the term of their employment by the Processor and after its termination, e) maintain the list of persons authorized to process personal data and present the Controller with this list upon its demand within the time limits the Controller indicated. f) assist the Controller in required scope in satisfying the Controller’s duties set out in art. 32-36 of GDPR, and in particular responding to requests of persons who the data refers to, g) having discovered a breach of personal data, report this fact to the Controller without undue delay, however not later than within 24 hours from the moment of discovering the breach. The report referred to above should include, among others, • date and hour of occurrence, • description of the nature and circumstances of personal data breach, • nature and content of personal data subjected to breach, • number of persons the breach referred to, • description of potential consequences and adverse effects of personal data breach for persons who the data refers to, • description of technical and organizational...

Duties of the Processor a) The Processor is obliged to process Personal Data exclusively in accordance with the documented instructions and in accordance with the stipulations of this DPA. The processing of Personal Data for own purposes or for third parties is prohibited. In particular, no copies may be made unless this is the subject of the data processing or the Controller has given its express consent. b) The Processor will maintain the confidentiality of all data of the Controller and will not disclose data of the Controller to third parties unless Controller or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Processor to process or disclose Personal Data, Processor must first inform Controller of the legal or regulatory requirement and give Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice. c) In granting the rights of the persons concerned in accordance with Art. 15 et seq. GDPR the Processor will support the Controller at first request within the scope of its possibilities. The Processor will take appropriate technical and organizational measures for this purpose. The Processor shall, on instruction, correct, delete or restrict the processing of Personal Data processed on behalf of the Controller. d) If the data collected on behalf of the Controller is subject to a request for data portability in accordance with Art. 20 of the GDPR, the Processor shall make the data set available to the Controller without delay, upon request, within the set time limit, otherwise within 5 working days, in a structured, common and machine-readable format. e) When a data subject makes direct contact with the Processor to exercise rights, the Processor shall forward this request to the Controller without delay. f) The Processor shall inform the Controller without delay if the Processor is of the opinion that an instruction given violates legal regulations. The Processor may suspend the execution of the corresponding instruction until it has been confirmed or modified by the Controller. g) The Processor shall be obliged to notify the Controller no later than 24 (twenty-four) hours after any breach of data protection regulations, of the provisions made in the Contract and the Agreement and/or instructions given by the persons employed by the Controller or other third parties involved in the processing of data by the Processor. h) After termination of the Cont...

Duties of the Processor. 3.1 The subject of the processing, and thus this DPA, is the personal data of third parties that the Processor processes in the software to fulfill the user contract ("Personal Data"). 3.2 This includes the following data of the following affected persons (categories): (a) For rental or purchase applicants: (I) the content of the application; (II) communication content; (III) technical data. (b) For the users (software users) of the Controller: (I) identification and contact data (e.g., name, email); (II) login and other user data; (III) communication content; (IV) technical data. 3.3 This agreement applies to all activities in which the Processor or sub- processors commissioned by the Processor process this Personal Data. 3.4 The purpose of the processing is the provision of the software in accordance with the user contract. This includes the performance of necessary auxiliary functions (e.g., error monitoring). The Processor also evaluates certain technical data of the Controller's users for the non- personal purpose of improving its services. Additionally, section 9 of the AGB applies. 3.5 The nature of the processing includes the necessary activities for these purposes, in particular, collecting, recording, organizing, storing, adapting or altering, retrieving, using, transmitting, providing, matching, linking, deleting, or destroying Personal Data.

Duties of the Processor. The Processor processes personal data only on behalf of the Controller and in accordance with the documented instructions of the Controller. By accepting this Annex, the Controller instructs the Processor to process personal data as follows: