Obligations of Processor. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. If the Processor thinks that an instruction of the Controller infringes the BDSG or other data protection provisions, it shall point this out to the principal without delay. Within Processor’s area of responsibility, Processor shall structure Processor’s internal corporate organisation to ensure compliance with the specific requirements of the protection of Personal Data. Processor shall take the appropriate technical and organisational measures to adequately protect Controller’s Personal Data against misuse and loss in accordance with the requirements of the German Federal Data Protection Act (§ 9 BDSG) or a corresponding provision of the otherwise applicable national data protection law. Such measures hereunder shall include, but not be limited to, a) the prevention of unauthorised persons from gaining access to Personal Data Processing systems (physical access control), b) the prevention of Personal Data Processing systems from being used without authorisation (logical access control), c) ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorisation (data access control), d) ensuring that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control), e) ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control), f) ensuring that Personal Data Processed are Processed solely in accordance with the Instructions (control of instructions), g) ensuring that Personal Data are protected against accidental destruction or loss (availability control), h) ensuring that Personal Data collected for different purposes can be processed separately (separation control). A measure as referred to in lit. b to d above shall be in particular, but shall not be limited to, the use of state of the art encryption technology for client access. An overview of the above listed technical and organizational measures shall be attached to this DPA as an appendix. Upon Controller’s request, Processor shall provide a current Personal Data protection and security programme covering Processing hereunder. Upon Controller’s request, and except where Controller is able to obtain such information directly, Processor shall provide all information necessary for compiling the overview defined by § 4g para. 2 sentence 1 BDSG or a corresponding provision of the otherwise applicable national data protection law. Processor shall ensure that any personnel entrusted with Processing Controller’s Personal Data have undertaken to comply with the principle of data secrecy in accordance with § 5 BDSG (or a corresponding provision of the otherwise applicable national data protection law) and have been duly instructed on the protective regulations of the BDSG or the otherwise applicable national data protection law. The undertaking to secrecy shall continue after the termination of the above-entitled activities. The Processor shall appoint a data protection official, if this is legally required and, upon request of Controller, Processor shall notify to Controller the contact details of the data protection official. Processor shall, without undue delay, inform Controller in case of a serious interruption of operations or violations by the Processor or persons employed by it of provisions to protect Personal Data or of terms specified in this DPA. In such an event, Processor shall implement the measures necessary to secure the Personal Data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with Controller without undue delay. Processor shall support Controller in fulfilling Controller’s disclosure obligations under section 42a BDSG (or a corresponding provision of the otherwise applicable national data protection law). Controller shall retain title as to any carrier media provided to Processor as well as any copies or reproductions thereof. Processor shall store such media safely and protect them against unauthorised access by third parties. Processor shall, upon Controller’s request, provide to Controller all information on Controller’s Personal Data and information. Processor shall be obliged to securely delete any test and scrap material based on an Instruction issued by Controller on a case- by-case basis. Where Controller so decides, Processor shall hand over such material to Controller or store it on Controller’s behalf. Processor shall be obliged to audit and verify the fulfilment of the above-entitled obligations and shall maintain an adequate documentation of such verification.
Appears in 1 contract
Sources: Data Processing Agreement
Obligations of Processor. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. If the Processor thinks that an instruction of the Controller infringes the BDSG or other data protection provisions, it shall point this out to the principal without delay. Within Processor’s area of responsibility, Processor shall structure Processor’s internal corporate organisation to ensure compliance with the specific requirements of the protection of Personal Data. Processor shall take the appropriate technical and organisational measures to adequately protect Controller’s Personal Data against misuse and loss in accordance with the requirements of the German Federal Data Protection Act (§ 9 BDSG) or a corresponding provision of the otherwise applicable national data protection law. Such measures hereunder shall include, but not be limited to,
a) a. the prevention of unauthorised persons from gaining access to Personal Data Processing systems (physical access control),
b) b. the prevention of Personal Data Processing systems from being used without authorisation (logical access control),
c) c. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorisation (data access control),
d) d. ensuring that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
e) e. ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),
f) f. ensuring that Personal Data Processed are Processed solely in accordance with the Instructions (control of instructions),
g) g. ensuring that Personal Data are protected against accidental destruction or loss (availability control),
h) h. ensuring that Personal Data collected for different purposes can be processed separately (separation control). A measure as referred to in lit. b to d above shall be in particular, but shall not be limited to, the use of state of the art encryption technology for client access. An overview of the above listed technical and organizational measures shall be attached to this DPA as an appendix. Upon Controller’s request, Processor shall provide a current Personal Data protection and security programme covering Processing hereunder. Upon Controller’s request, and except where Controller is able to obtain such information directly, Processor shall provide all information necessary for compiling the overview defined by § 4g para. 2 sentence 1 BDSG or a corresponding provision of the otherwise applicable national data protection law. Processor shall ensure that any personnel entrusted with Processing Controller’s Personal Data have undertaken to comply with the principle of data secrecy in accordance with § 5 BDSG (or a corresponding provision of the otherwise applicable national data protection law) and have been duly instructed on the protective regulations of the BDSG or the otherwise applicable national data protection law. The undertaking to secrecy shall continue after the termination of the above-entitled activities. The Processor shall appoint a data protection official, if this is legally required and, upon request of Controller, Processor shall notify to Controller the contact details of the data protection official. Processor shall, without undue delay, inform Controller in case of a serious interruption of operations or violations by the Processor or persons employed by it of provisions to protect Personal Data or of terms specified in this DPA. In such an event, Processor shall implement the measures necessary to secure the Personal Data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with Controller without undue delay. Processor shall support Controller in fulfilling Controller’s disclosure obligations under section 42a BDSG (or a corresponding provision of the otherwise applicable national data protection law). Controller shall retain title as to any carrier media provided to Processor as well as any copies or reproductions thereof. Processor shall store such media safely and protect them against unauthorised access by third parties. Processor shall, upon Controller’s request, provide to Controller all information on Controller’s Personal Data and information. Processor shall be obliged to securely delete any test and scrap material based on an Instruction issued by Controller on a case- by-case basis. Where Controller so decides, Processor shall hand over such material to Controller or store it on Controller’s behalf. Processor shall be obliged to audit and verify the fulfilment of the above-entitled obligations and shall maintain an adequate documentation of such verification.
Appears in 1 contract
Sources: Data Processing Agreement