Common use of Joint Controllers of Personal Data Clause in Contracts

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under this Contract, the Parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Schedule 11 (Processing Personal Data). With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. Each Party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with Clause 23.17, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this Contract. The Parties shall only provide Personal Data to each other: to the extent necessary to perform the respective obligations under this Contract; in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and where it has recorded it in Attachment 11 (Processing Personal Data) of the Order Form. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR.

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under this the Contract, the Parties shall implement Clauses paragraphs that are necessary to comply with UK GDPR Article 26 based on the terms set out in Annex 2 to this Joint Schedule 11 (Processing Personal Data)11. With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their processing Processing of such Personal Data as Controller. Each Party shall process Process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with Clause 23.17paragraph 18 of this Joint Schedule 11 above, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 UK GDPR in respect of the processing Processing of Personal Data for the purposes of this the Contract. The Parties shall only provide Personal Data to each other: to the extent necessary to perform the their respective obligations under this the Contract; in compliance with the Data Protection Legislation (including by ensuring all required fair processing data privacy information has been given to affected Data SubjectsSubjects to meet the requirements of Articles 13 and 14 of the UK GDPR); and where it has recorded it in Attachment 11 Annex 1 (Processing Personal Data) of the Order Form). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its processing Processing of Personal Data as independent Independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the UK GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the UK GDPR.

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under this ContractAgreement, the Parties shall implement Clauses that are necessary to comply with GDPR Article 26 of the UK GDPR based on the terms set out in Annex 1 to Schedule 11 (Processing Personal Data). With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. Each Party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with Clause 23.1724.17, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 of the UK GDPR in respect of the processing of Personal Data for the purposes of this ContractAgreement. The Parties shall only provide Personal Data to each other: to the extent necessary to perform the respective obligations under this ContractAgreement; in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); where the Personal Data is subject to UK GDPR and where the provision of Personal Data from one Party to another involves transfer of such data to outside the UK, if the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as determined by the non-transferring Party which could include the International Data Transfer Agreement or International Data Transfer Agreement Addendum to the European Commission’s SCCs as published by the Information Commissioner’s Office and as set out in Annex 2 to Schedule 11 (Processing Personal Data), as well as any additional measures determined by the non-transferring Party; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; where the Personal Data is subject to EU GDPR and where the provision of Personal Data from one Party to another involves transfer of such data to outside the EU, if the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the EU GDPR; or the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU set out in Annex 3 to Schedule 11 (Processing Personal Data) or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and where it has recorded it in Attachment Schedule 11 (Processing Personal Data) of the Order Form). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the UK GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the UK GDPR. A Party processing Personal Data for the purposes of this Agreement shall maintain a record of its processing activities in accordance with Article 30 of the UK GDPR and shall make the record available to the other Party upon reasonable request. Where a Party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other Party pursuant to this Agreement (“the Request Recipient”): the other Party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. Each party shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this Agreement and shall: do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Data Breach; implement any measures necessary to restore the security of any compromised Personal Data; work with the other Party to make any required notifications to the Information Commissioner’s Office or any other regulatory authority and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and not do anything which may damage the reputation of the other Party or that Party's relationship with the relevant Data Subjects, save as required by Law. Personal Data provided by one Party to the other Party may be used exclusively to exercise rights and obligations under this Agreement as specified in Schedule 11 (Processing Personal Data). Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this Agreement which is specified in Schedule 11 (Processing Personal Data). Notwithstanding the general application of Clauses 24.2 to 24.15 to Personal Data, where the Supplier is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 24.16 to 24.27.

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under this ContractAgreement, the Parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Annex 1 to Schedule 11 (Processing Personal Data). With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. Each Party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with Clause 23.1724.17, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this ContractAgreement. The Parties shall only provide Personal Data to each other: to the extent necessary to perform the respective obligations under this ContractAgreement; in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and where it has recorded it in Attachment Schedule 11 (Processing Personal Data) of the Order Form). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR. A Party processing Personal Data for the purposes of this Agreement shall maintain a record of its processing activities in accordance with Article 30 GDPR and shall make the record available to the other Party upon reasonable request. Where a Party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other Party pursuant to this Agreement (“the Request Recipient”): the other Party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. Each party shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this Agreement and shall: do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Data Breach; implement any measures necessary to restore the security of any compromised Personal Data; work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and not do anything which may damage the reputation of the other Party or that Party's relationship with the relevant Data Subjects, save as required by Law. Personal Data provided by one Party to the other Party may be used exclusively to exercise rights and obligations under this Agreement as specified in Schedule 11 (Processing Personal Data). Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this Agreement which is specified in Schedule 11 (Processing Personal Data). Notwithstanding the general application of Clauses 24.2 to 24.15 to Personal Data, where the Supplier is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 24.16 to 24.27.