Common use of Information Security and Confidentiality Clause in Contracts

Information Security and Confidentiality. The Data processor undertakes to implement appropriate technical and organizational measures to ensure security of personal data being processed and undertakes to comply with any written security requirements and policies provided by the Data controller. The Data processor undertakes to protect personal data from destruction, alteration, unauthorized distribution, or unauthorized access, and from any forms of unlawful processing. The appropriate technical and organisational measures are chosen to ensure a level of security appropriate to the risk, including inter alia as appropriate: pseudonymisation of Personal Data and their encryption; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. The Data processor undertakes to ensure that it shall apply at least minimal technical and organisational measures referred to in Annex No. 1 “Personal data processing instructions” in the processing of personal data. The Data processor undertakes to take the necessary actions in order to assist the Data controller in case of a personal data breach, to mitigate its adverse effects and to immediately notify the Data controller of any incident relating to personal data and of unauthorized access to personal data in accordance with clauses 3.3-3.6 of this Agreement. The Data processor undertakes to ensure confidentiality of personal data and that the Data processor’s personnel having access to personal data: are appropriately trained to comply with the Data protection laws and the requirements established for them hereunder; properly fulfil the requirements set out herein and in the Data protection laws; are informed of the duty keep the personal data confidential; and have committed themselves to confidentiality on agreed basis or are under an appropriate statutory obligation of confidentiality. The Data processor is obliged to ensure that access to the personal data is strictly limited and granted only to the Data processor’s personnel who need access to such data to perform the duties of the Data processor under this Agreement and the Main Agreement.