Common use of Lawful Basis for Processing Clause in Contracts

Lawful Basis for Processing. 4.1 The Client warrants that: a. it has conducted an assessment of the purposes and lawful bases of processing of personal data which will be provided to DWS under Service Agreements; b. the Categories of Personal Data, Categories of Data Subjects, Purposes, Retention Period(s), Third Countries, Recipients and Lawful Bases set out in the Schedule are amongst those which it is lawfully permitted to process the personal data of data subjects named in the Schedule; and c. the Schedule is otherwise correct in all material respects. 4.2 DWS shall in relation to any personal data processed in connection with the performance by DWS of its obligations under a Service Agreement: a. process personal data only on the written instructions of the Client unless DWS is required by the laws of any member of the European Union or by the laws of the European Union applicable to DWS to process personal data (“Relevant Laws”). b. where DWS relies on laws of a member of the European Union or European Union law as the basis for processing personal data, DWS shall notify the Client of the same before performing the processing required by the Relevant Laws unless those Relevant Laws prohibit DWS from so notifying the Client. c. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Such measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it. d. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential. e. not transfer any personal data outside of the European Economic Area unless the transfer is initiated by the Client or its agents, or prior written consent of DWS has been obtained and the following conditions are fulfilled: i. the Client and DWS have provided appropriate safeguards in relation to the transfer; ii. the data subject has enforceable rights and effective legal remedies; iii. DWS complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and iv. DWS complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the personal data. f. assist the Client, at the Client's cost to respond to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. g. notify the Client without undue delay on becoming aware of a personal data breach. h. at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of the agreement unless required by Relevant Laws to store the personal data. 4.3 The Parties shall cooperate to assist the other to comply with the terms of the GDPR. 4.4 Each of the Parties warrant that the Schedule sets out the scope, nature and purpose of processing by DWS, the duration of the processing and the types of personal data and categories of data subject. 4.5 To the extent that the Client requests the assistance of DWS and such assistance is not able to be supplied by DWS in a computer automated fashion whereby the Client may obtain the data it requires itself through the user interfaces of DWS systems, such assistance shall be supplied on a time and materials basis by DWS. 4.6 Each of the Parties shall notify the other where there are or is expected to be material changes required to the Schedule and each Party will thereafter comply with clause 3.2. 4.7 DWS shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 4.8 The Client consents to DWS appointing sub-processors generally and specifically Microsoft and its subsidiaries as a third-party processor of personal data. The Client confirms that the Supplier may enter into written agreements with Microsoft Corporation and/or its subsidiaries for the provision of cloud based services provided by the Azure platform. 4.9 DWS shall inform the Client of any intended changes concerning the addition or replacement of subprocessor. 4.10 DWS may, at any time on not less than 30 days’ notice, revise this clause 3 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attaching the same to this Agreement and delivering the same to the Client).