Common use of Joint Controllers of Personal Data Clause in Contracts

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under the LVPS Contract, the Parties shall implement paragraphs that are necessary to comply with UK GDPR Article 26 based on the terms set out in Appendix 2 to this Annex B. With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Controller. Each Party shall Process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with paragraph 7 of this Annex B above, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 UK GDPR in respect of the Processing of Personal Data for the purposes of the LVPS Contract. The Parties shall only provide Personal Data to each other: to the extent necessary to perform their respective obligations under the LVPS Contract; in compliance with the Data Protection Legislation (including by ensuring all required data privacy information has been given to affected Data Subjects to meet the requirements of Articles 13 and 14 of the UK GDPR); and where it has recorded it in Appendix 1 (Processing Personal Data). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its Processing of Personal Data as Independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the UK GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the UK GDPR.

Joint Controllers of Personal Data. In the event that the Parties are Joint Controllers in respect of Personal Data under the LVPS Contractthis Agreement, the Parties shall implement paragraphs Clauses that are necessary to comply with Article 26 of the UK GDPR Article 26 based on the terms set out in Appendix 2 Annex 1 to this Annex B. Schedule 24 (Processing, Personal Data and Data Subjects). With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the Joint Control of the Parties, each Party undertakes to comply with the applicable Data Protection Legislation in respect of their Processing processing of such Personal Data as Controller. Each Party shall Process process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other Party to be in breach of it. Where a Party has provided Personal Data to the other Party in accordance with paragraph 7 of this Annex B aboveClause 32.4.1, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require. The Parties shall be responsible for their own compliance with Articles 13 and 14 of the UK GDPR in respect of the Processing processing of Personal Data for the purposes of the LVPS Contractthis Agreement. The Parties shall only provide Personal Data to each other: to the extent necessary to perform their the respective obligations under the LVPS Contractthis Agreement; in compliance with the Data Protection Legislation (including by ensuring all required data privacy fair processing information has been given to affected Data Subjects Subjects); where the provision of Personal Data from one Party to meet another involves transfer of such data to outside the requirements UK and/or the EEA, if the prior written consent of Articles 13 the non-transferring Party has been obtained and 14 the following conditions are fulfilled: the destination country has been recognised as adequate by the UK government is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74A and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75 and/or Article 46 of the EU GDPR (where applicable)) as determined by the non-transferring Party which could include the relevant parties entering into: where the transfer is subject to UK GDPR the UK International Data Transfer Agreement (the "IDTA") as published by the Information Commissioner’s Office or such updated version of such IDTA as is published by the Information Commissioner’s Office under section 119A(1) of the DPA 2018 from time to time; or the European Commission’s Standard Contractual Clauses per decisions 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (the “EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner’s Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs; as well as any additional measures determined by the Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and where it has recorded it in Appendix 1 Schedule 24 (Processing Processing, Personal DataData and Data Subjects). Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its Processing processing of Personal Data as Independent independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the UK GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the UK GDPR. A Party processing Personal Data for the purposes of this Agreement shall maintain a record of its processing activities in accordance with Article 30 of the UK GDPR and shall make the record available to the other Party upon reasonable request. Where a Party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other Party pursuant to this Agreement (the "Request Recipient”): the other Party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. Each Party shall promptly notify the other Party upon it becoming aware of any Data Loss Event relating to Personal Data provided by the other party pursuant to this Agreement and shall: do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Data Breach; implement any measures necessary to restore the security of any compromised Personal Data; work with the other Party to make any required notifications to the Information Commissioner’s Office or any other regulatory authority and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and not do anything which may damage the reputation of the other Party or that Party's relationship with the relevant Data Subjects, save as required by Law. Personal Data provided by one Party to the other Party may be used exclusively to exercise rights and obligations under this Agreement as specified in Schedule 24 (Processing, Personal Data and Data Subjects). Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this Agreement which is specified in Schedule 24 (Processing, Personal Data and Data Subjects). Notwithstanding the general application of Clause 32.2 to relevant Personal Data, where the Provider is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 32.4.