OBLIGATIONS OF THE DATA PROCESSOR Sample Clauses

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with these instructions from the Data Controller, and the Data Processor is, furthermore, obliged to comply with any and all data protection legislation in force from time to time. If European Union law or law of a EU Member State to which the Data Processor is subject stipulates that the Data Processor is required to process the personal data listed in clause 1.2, the Data Processor must inform the Data Controller of that legal requirement before processing. However, this does not apply if this legislation prohibits such information on important grounds of public interests. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data protection provisions of a EU Member State. 4.2 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to Danish data protection legislation in force at any time. These measures are described in more detail in Schedule 1. 4.3 The Data Processor must ensure that employees authorised to process the personal data have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality. 4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing of personal data. 4.5 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.6 The Data Processor, or another Data Processor (sub-Data Processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further proces...

OBLIGATIONS OF THE DATA PROCESSOR. 3.1. The Data Processor carries out the processing of Personal Data on behalf of the Data Controllers. 3.2. In discharging its obligations under this Agreement, the Data Processor is responsible for its compliance with Applicable Data Protection Law and will ensure that all necessary registrations and notifications are made and provide Client with a copy, on request, of evidence of such and evidence of any amendments or alterations made thereto. 3.3. The Data Processor agrees that it will: 3.3.1. process Personal Data only on behalf of the Data Controllers and in compliance with the Data Controllers’ instructions (which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action; 3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law; 3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies; 3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement; 3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment; 3.3.6. inform Client without delay of: 3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement; 3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confident...

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor is only responsible for processing personal data on behalf of the Data Controller on the terms outlined in the Data Processing Agreement or if there is docu- mentation of an instruction from the Data Controller, cf. Section 5. 3.2 The Data Processor will assist and aid the Data Controller upon the request of the Data Controller by delivering relevant information and documentation aimed at allowing the Data Controller to document compliance with the Data Controller’s legal obligations, in- cluding, for example, the right to gain insight into personal data stored and impact as- sessments, etc. In return for providing such assistance to the Data Controller, in addition to changes and/or expansions of the instructions, the Data Processor may demand remu- neration based on time spent and for extra costs. The hourly rates for this are DKK 650 excluding VAT of 25%. 3.3 If a registered individual contacts the Data Processor with the intention of exercising his/her rights under the General Data Protection Regulation, the Data Processor will pass along this request without undue delay for processing. The Data Processor will assist the Data Controller in accordance with Section 3.2.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Dat...

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In th...

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Data Processor to only Process Personal Data according to its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Cont...

OBLIGATIONS OF THE DATA PROCESSOR. 3.1. The Data Processor shall solely be permitted to process Personal Data on documented instructions from the Data Controller to the extent necessary to perform its obligations under the Agreement, unless processing is required under UK, EU or Member State law to which the Data Processor is subject. In this case, and where possible to do so, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits disclosure of such information on important grounds of public interest. 3.2. The Data Processor shall inform the Data Controller as soon as reasonably possible if the instructions, in the opinion of the Data Processor, contravene the Applicable Data Protection Laws .

OBLIGATIONS OF THE DATA PROCESSOR. Data Processing 6.1 Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law. 6.2 Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services. 6.3 Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR. 6.4 Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller. 6.5 Implement appropriate technical and organisational measures to protect the Personal Data, and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor undertakes to Process Personal Data only in accordance with the Data Controller’s documented instructions and the provisions contained in this Data Processing Agreement and in the Access Agreement. The Data Processor shall not Process Personal Data for which the Data Controller is a Data Controller for any other purposes. 3.2 Should the Data Controller present new instructions that go beyond the provisions contained in this Data Processing Agreement or the Access Agreement, the Data Processor shall be entitled to remuneration in accordance with the Data Processing Agreement’s price list applicable from time to time, or as agreed between the Parties. 3.3 Notwithstanding what is stated in section 3.1 above, the Data Processor may Process Personal Data to the extent required to enable the Data Processor to fulfil its obligations under Applicable Legislation. However, the Data Processor is obligated to inform the Data Controller of the legal obligation, unless the Data Processor is prevented by Applicable Legislation from providing such information. 3.4 Notwithstanding the governing law provisions set forth in the Access Agreement, the Applicable Personal Data Legislation shall apply to the Processing of Personal Data that are subject to the terms of this Data Processing Agreement. 3.5 The Data Processor must notify the Data Controller if the Data Processor is unable to meet its obligations set forth in this Data Processing Agreement, or if the Data Processor considers that an instruction given by the Data Controller concerning the Processing of Personal Data would constitute a violation of Applicable Personal Data Legislation, unless the Data Processor is prevented by Applicable Legislation from providing such information to the Data Controller.