Common use of Obligations of Processor Clause in Contracts

Obligations of Processor. 5.1 Basically, Processor shall, unless otherwise permitted by law or otherwise (e.g. data subject’s consent), collect, process or use data only as commissioned by Controller and in compliance with the Instructions of Controller but, in particular, not for its own purposes. Processor will correct, delete, rectify or block the data processed on behalf of Controller only as instructed by Controller. If a data subject contacts Processor with a request for correction or deletion of its data, Processor shall forward the request to Controller. 5.2 Processor shall also be entitled to use certain data which it receives in the course of providing product support in a form that will not allow the respective Processor personnel to re-identify any natural person (e.g. a physician, hospital staff or patient). Such use occurs for the purposes of (i) fulfilling legal obligations (e.g. product monitoring and reporting obligations), or (ii) exercising other legitimate interests and lawful purposes of Processor and Controller, in particular those to improve the quality and functionality of Processor’s products by using selected support data (e.g. de-identified CT or MRT images) to i.a. test new releases of the products. 5.3 Processing takes place on the Instructions from the Controller only, unless the Processor is required to do so by European Union or Member State law to which the Processor is subject to; in such a case, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest (cf., Art. 28 para. 3 lit. a GDPR). 5.4 Unless prohibited by applicable law or a legally-binding request of an authority, Processor shall promptly notify Controller of any request by public authorities, data protection supervisory authority or law enforcement authority for access to or seizure of Personal Data of the Controller as provided hereunder. 5.5 Before granting access to Personal Data, Processor will oblige persons employed in processing Personal Data on data secrecy and confidentiality and familiarize them with the provisions as set forth in the data protection obligations as applicable to Processor. Where necessary, this shall include obligating the relevant personnel on professional secrecy (if any, including derivative obligations, for example when processing data originating from hospitals or medical doctors) or the telecommunication secrecy if and to the extent that respective services have been agreed upon in the Master Agreement. If required by professional law and professional conduct rules, Controller shall take all necessary measures or coordinate them with its customers and inform and instruct the Processor accordingly. 5.6 Insofar as required by statutory law, Processor will appoint a data protection officer and shall make its contact details available to Controller during the term of this Agreement. 5.7 Processor will without undue delay notify Controller of violations of Instructions or of provisions for the protection of Controller’s Personal Data by Processor or a person employed by Processor. If Personal Data have been lost, unlawfully transferred or otherwise unlawfully disclosed to third parties according to Art. 33 and 34 of the GDPR, Controller shall be informed of such incidents without undue delay. Processor shall, in consultation with Controller, take appropriate measures to safeguard the data as well as to mitigate potentially adverse consequences for the data subjects. Furthermore, Processor shall without undue delay inform Controller of serious disruptions of the normal course of operations, any suspicions of data protection violations or other irregularities in processing the data of Controller. Processor acknowledges that Controller is obliged to document breaches of the protection of Personal Data and, if necessary, inform the supervisory authority, respectively the data subject, on such breach. If and insofar as it has come to such breaches, Processor will assist the Controller in accordance with Art. 28 para. 3 lit. f GDPR with compliance of its reporting obligations in a proper manner to allow for the Controller to timely perform its obligations hereunder. Processor will notify the breach to the Controller and provide at least the following information as far as Processor has the relevant information: (a) description of the kind of breach, if possible the category and the approximate amount of data subjects and datasets involved, (b) name and contact of a contact person for further information, (c) description on the probable consequences of the breach, (d) description of the taken measures in order to remedy or reduce the breach. 5.8 Processor will inform Controller of any monitoring activity of and measures taken by the supervisory authority with regard to the processing of Personal Data of Controller. 5.9 If Controller is obliged in accordance with applicable statutory data protection law to provide information on the collection, processing or use of data, Processor shall provide Controller with any and all respective information. 5.10 Processor shall monitor the compliance with obligations specified above during the execution of the commissioned data processing. 5.11 Processor shall maintain a written record of all categories of processing activities carried out on behalf of the Controller in accordance with Art. 30 para. 2 of the GDPR. 5.12 If applicable, Processor assists in accordance with Art. 28 para. 3 lit. f GDPR with the preparation of a data protection impact assessment pursuant to Art. 35 GDPR and, where appropriate, assists with the prior consultation of the supervisory authority pursuant to Art. 36 GDPR. On Controller’s request, Processor shall disclose the required information and documents to Controller. The additional costs incurred by these services are to be reimbursed to the Processor. 5.13 The Processor shall implement appropriate measures in respect of data misuse, data loss and recoverability of data (e.g. by creating industry standard backups), as far as this is agreed in the Master Agreement.