OBLIGATIONS OF THE DATA PROCESSOR. 3.1. The Data Processor carries out the processing of Personal Data on behalf of the Data Controllers. 3.2. In discharging its obligations under this Agreement, the Data Processor is responsible for its compliance with Applicable Data Protection Law and will ensure that all necessary registrations and notifications are made and provide Client with a copy, on request, of evidence of such and evidence of any amendments or alterations made thereto. 3.3. The Data Processor agrees that it will: 3.3.1. process Personal Data only on behalf of the Data Controllers and in compliance with the Data Controllers’ instructions (which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action; 3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law; 3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies; 3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement; 3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment; 3.3.6. inform Client without delay of: 3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement; 3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities; 3.3.6.3. any Security Incident; 3.3.6.4. any notice, inquiry or investigation by a Supervisory Authority; and 3.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects without responding that request, unless Client has authorized a response; 3.3.7. to fully co-operate with and assist Client or any Data Controller, as applicable, without delay in respect of that Data Controller’s obligations regarding: 3.3.7.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to the Data Processor, the Data Processor will pass it on to Client without delay; 3.3.7.2. the investigation of any Security Incident and the notification to the Supervisory Authority and data subjects in respect of such Security Incidents; 3.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority; 3.3.7.4. the security of Personal Data, including by implementing the Technical and Organizational Security Measures; 3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating to the Data Processor’s processing of Personal Data whether such inquiry is made by Client, a particular Data Controller, a data subject or any Supervisory Authority; 3.3.9. if the Data Processor is required by law to process Personal Data, inform Client of this requirement in advance of any processing, unless the Data Processor is prohibited from informing Client on grounds of important public interest; and 3.3.10. make available to Client (and, to the extent strictly required by law, the Data Controller, as applicable) all information necessary to demonstrate compliance with the obligations in this Clause 3. 3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Client and/or by a third party appointed by Client.
Appears in 1 contract
Sources: Master Services Agreement
OBLIGATIONS OF THE DATA PROCESSOR. 3.1. 3.1 The Data Processor carries out will process the personal data in compliance with The Data Protection ▇▇▇ ▇▇▇▇.
3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data.
3.3 The Data Processor will process the Personal Data on behalf for the following purposes only: To facilitate the delivery of the Data Controllers.Controller’s community alarm telecare monitoring and administration service i.e. to be determined case by case
3.2. In discharging 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement, the .
3.5 The Data Processor is responsible for will ensure that only such of its compliance with Applicable employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Protection Law and Processor will ensure that all necessary registrations such employees have undergone training in the law of data protection, their duty of confidentiality under contract and notifications are made in the care and provide Client with a copy, on request, handling of evidence of such and evidence of any amendments or alterations made theretopersonal data.
3.3. 3.6 The Data Processor agrees that it will:
3.3.1. process Personal Data only on behalf of to assist the Data Controllers and in compliance Controller promptly with the Data Controllers’ instructions (all subject information requests which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action;
3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law;
3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies;
3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement;
3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment;
3.3.6. inform Client without delay of:
3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement;
3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
3.3.6.3. any Security Incident;
3.3.6.4. any notice, inquiry or investigation by a Supervisory Authority; and
3.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects without responding that request, unless Client has authorized of the personal data and within its service level target of 21 days.
3.7 The Data Processor will not disclose the personal data to a response;
3.3.7. to fully co-operate with and assist Client or third party in any circumstances other than at the specific written request of the Data Controller, as applicable, unless the disclosure is required by law.
3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom.
3.9 The Data Processor will not sub-contract any of the processing without delay in respect of that explicit written agreement from the Data Controller’s obligations regarding:
3.3.7.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Data. In the event that a data subject sends Where such a request directly to the Data Processorwritten agreement is provided, the Data Processor will pass ensure that any sub contractor it on uses to Client without delay;process the personal data complies with the terms of this agreement.
3.3.7.23.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the investigation requirements of any Security Incident and the notification ISO 27001 as appropriate to the Supervisory Authority and data subjects in respect of such Security Incidents;
3.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority;
3.3.7.4. the security of Personal Data, including by implementing the Technical and Organizational Security Measures;
3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating services being provided to the Data Processor’s Controller.
3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on.
3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of Personal the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data whether such inquiry is made by Client, a particular Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, a root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties.
3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data subject is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or any Supervisory Authority;secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste.
3.3.9. if 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is required by law adhering to process Personal Data, inform Client the terms of this requirement in advance of any processingagreement. Where a sub contractor is used, unless the Data Processor is prohibited from informing Client on grounds of important public interest; and
3.3.10. make available to Client (and, to the extent strictly required by law, agrees that the Data ControllerController may also, as applicable) all information necessary to demonstrate compliance with the obligations in this Clause 3.
3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with upon giving reasonable notice and during regular within normal business hours hours, carry out compliance and under a duty information security audits and checks of confidentiality, by Client and/or by a third party appointed by Clientthe sub contractor to ensure adherence to the terms of this agreement.
Appears in 1 contract
Sources: Contract Relating to Carer Support Information & Advice Services
OBLIGATIONS OF THE DATA PROCESSOR. 3.1. The Data Processor carries out Controller determines the processing of purposes for which Client Personal Data on behalf is Processed in the context of the Data Controllersprovision of the Service.
3.2. In discharging its Aside from the obligations under listed in Annexes 1 and 2 of this AgreementDPA, Data Processor further commits to complying with the following obligations:
a) Data Processor will Process Client Personal Data only as necessary to provide the Service and subject to Data Controller’s written instructions provided in this DPA. For these purposes, the Service Agreement and this DPA set out Data Controllers’ complete instructions to Data Processor in relation to the Processing of Client Personal Data – any Processing required which is outside the scope of these instructions (including the rights and obligations laid down in the MSA) will require prior written agreement between the Parties;
b) Data Processor will notify Data Controller in the event that it considers a specific written instruction received from Data Controller to be in violation of the Applicable Data Protection Laws. In no case will Data Processor be under any obligation to perform a comprehensive legal examination of any written instructions provided by the Client;
c) Aramex, as Data Processor, will notify Data Controller without undue delay of any contact, communication or correspondence it may receive from a Supervisory Authority, related to the Processing of Client Personal Data. Both Parties acknowledge and agree that the responsibility for replying to such contacts, communications or correspondence rests solely on Data Controller, and not on Data Processor;
d) Data Processor has implemented adequate operational, technical and organisational measures under Article 32 of the Regulation (which are described in Annex 2 of this DPA), to protect the Client Personal Data (including Special Categories of Personal Data). The Parties acknowledge and agree that Data Processor is responsible for specifically allowed to implement adequate alternative measures or use alternative locations to Process the Client Personal Data, so long as the security level of the measures is maintained and is, in all respects, adequate;
e) In the event that Data Processor discloses Client Personal Data to its compliance with Applicable personnel which is directly and exclusively involved in the provision of the Service, Data Protection Law and Processor will ensure that all necessary registrations and notifications are made and provide Client with a copy, on request, of evidence of such and evidence of any amendments or alterations made thereto.
3.3. The Data Processor agrees that it willpersonnel:
3.3.1. process i) is committed to confidentiality or is under an appropriate statutory obligation of confidentiality; and
ii) Processes Client Personal Data only on behalf under the instructions of the Data Controllers Processor, and in compliance with the Data Controllers’ instructions (which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action;
3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law;
3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies;
3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement;
3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment;
3.3.6. inform Client without delay of:
3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement;
3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
3.3.6.3. any Security Incident;
3.3.6.4. any notice, inquiry or investigation by a Supervisory Authority; and
3.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects without responding that request, unless Client has authorized a response;
3.3.7. to fully co-operate with and assist Client or any Data Controller, as applicable, without delay in respect of that Data Controller’s obligations regarding:
3.3.7.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to the Data Processor, the Data Processor will pass it on to Client without delay;
3.3.7.2. the investigation of any Security Incident and the notification to the Supervisory Authority and data subjects in respect of such Security Incidents;
3.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority;
3.3.7.4. the security of Personal Data, including by implementing the Technical and Organizational Security Measures;
3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating to the Data Processor’s processing of Personal Data whether such inquiry is made by Client, a particular Data Controller, a data subject or any Supervisory Authority;
3.3.9. if the Data Processor is required by law to process Personal Data, inform Client of this requirement in advance of any processing, unless the Data Processor is prohibited from informing Client on grounds of important public interest; and
3.3.10. make available to Client (and, to the extent strictly required by law, the Data Controller, as applicable) all information necessary to demonstrate compliance with the obligations in this Clause 3DPA.
3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Client and/or by a third party appointed by Client.
Appears in 1 contract
Sources: Personal Data Processing Addendum
OBLIGATIONS OF THE DATA PROCESSOR. 3.1. 3.1 The Data Processor carries out will process the personal data in compliance with The Data Protection ▇▇▇ ▇▇▇▇.
3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data.
3.3 The Data Processor will process the Personal Data on behalf for the following purposes only: To facilitate the delivery of the Data Controllers.Controller’s community alarm telecare monitoring and administration service i.e. to be determined case by case
3.2. In discharging 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement, the .
3.5 The Data Processor is responsible for will ensure that only such of its compliance with Applicable employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Protection Law and Processor will ensure that all necessary registrations such employees have undergone training in the law of data protection, their duty of confidentiality under contract and notifications are made in the care and provide Client with a copy, on request, handling of evidence of such and evidence of any amendments or alterations made theretopersonal data.
3.3. 3.6 The Data Processor agrees that it will:
3.3.1. process Personal Data only on behalf of to assist the Data Controllers and in compliance Controller promptly with the Data Controllers’ instructions (all subject information requests which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action;
3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law;
3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies;
3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement;
3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment;
3.3.6. inform Client without delay of:
3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement;
3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
3.3.6.3. any Security Incident;
3.3.6.4. any notice, inquiry or investigation by a Supervisory Authority; and
3.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects without responding that request, unless Client has authorized of the personal data and within its service level target of 21 days.
3.7 The Data Processor will not disclose the personal data to a response;
3.3.7. to fully co-operate with and assist Client or third party in any circumstances other than at the specific written request of the Data Controller, as applicable, unless the disclosure is required by law.
3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom.
3.9 The Data Processor will not sub-contract any of the processing without delay in respect of that explicit written agreement from the Data Controller’s obligations regarding:
3.3.7.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Data. In the event that a data subject sends Where such a request directly to the Data Processorwritten agreement is provided, the Data Processor will pass ensure that any sub Provider it on uses to Client without delay;process the personal data complies with the terms of this agreement.
3.3.7.23.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the investigation requirements of any Security Incident and the notification ISO 27001 as appropriate to the Supervisory Authority and data subjects in respect of such Security Incidents;
3.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority;
3.3.7.4. the security of Personal Data, including by implementing the Technical and Organizational Security Measures;
3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating services being provided to the Data Processor’s Controller.
3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on.
3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of Personal the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data whether such inquiry is made by Client, a particular Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, a root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties.
3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data subject is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or any Supervisory Authority;secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste.
3.3.9. if 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is required by law adhering to process Personal Data, inform Client the terms of this requirement in advance of any processingagreement. Where a sub Provider is used, unless the Data Processor is prohibited from informing Client on grounds of important public interest; and
3.3.10. make available to Client (and, to the extent strictly required by law, agrees that the Data ControllerController may also, as applicable) all information necessary to demonstrate compliance with the obligations in this Clause 3.
3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with upon giving reasonable notice and during regular within normal business hours hours, carry out compliance and under a duty information security audits and checks of confidentiality, by Client and/or by a third party appointed by Clientthe sub Provider to ensure adherence to the terms of this agreement.
Appears in 1 contract
Sources: Contract
OBLIGATIONS OF THE DATA PROCESSOR. 3.1. 2.3.1 The Data Processor carries out will process the Personal Data in compliance with applicable data protection regulations, including the Data Protection ▇▇▇ ▇▇▇▇ and Regulation (EU) 2016/679 (the “General Data Protection Regulations”).
2.3.2 The Data Processor undertakes that it shall process the Personal Data strictly in accordance with the Data Controller's instructions for the processing of that personal data.
2.3.3 The Data Processor will process the Personal Data on behalf for the purposes defined in Schedule C only.
2.3.4 The Data Processor will treat the personal data, and any other Information provided by the Data Controller as confidential, and will ensure that access to the Personal Data is limited to only those employees who require access to it for the purpose of the Data Controllers.
3.2. In discharging Processor carrying out the permitted processing and complying with its obligations under this Agreement, the .
2.3.5 The Data Processor is responsible for will ensure that only such of its compliance with Applicable employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the Personal Data. The Data Protection Law and Processor will ensure that all necessary registrations such employees have undergone training in the law of data protection, their duty of confidentiality under contract and notifications are made in the care and provide Client with a copy, on request, handling of evidence of such and evidence of any amendments or alterations made theretoPersonal Data.
3.3. 2.3.6 The Data Processor agrees that it will:
3.3.1. process Personal Data only on behalf of to assist the Data Controllers and in compliance Controller promptly with the Data Controllers’ instructions (all subject information requests, rectification requests, erasure requests, requests for restriction of processing, objections or complaints which may be provided by Client), and this Agreement, and it shall not disclose Personal Data to any third party (including for back-up purposes) apart received from the sub-processors authorized by Client (acting on behalf of the Data Controllers, as applicable) under this Agreement. If the Data Processor cannot provide such compliance, it shall promptly inform Client of its inability to comply, in which case Client is entitled to immediately terminate this Agreement and the Data Processor’s access to Personal Data and/or to take any other reasonable action;
3.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client infringes Applicable Data Protection Law;
3.3.3. implement the Technical and Organizational Security Measures prior to the launch of the processing activities for the Personal Data and provide Client with copies of its privacy and security policies;
3.3.4. take all reasonable steps to ensure that (i) persons employed by it, and (ii) other persons engaged at its place of business, who will process Personal Data are aware of and comply with this Agreement;
3.3.5. comply with strict confidentiality obligations in respect of the Personal Data and ensure that its employees, authorized agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality data subjects of the Personal Data, including after .
2.3.7 The Data Processor will notify and cooperate with the end Data Controller promptly with requests made under the Freedom of their employment, contract or Information ▇▇▇ ▇▇▇▇.
2.3.8 The Data Processor will not disclose the Personal Data to a third party in any circumstances other than at the end specific written request of their assignment;
3.3.6. inform Client without delay of:
3.3.6.1. any non-compliance by the Data Processor or its employees with this Agreement or the regulatory provisions relating to the protection of Personal Data processed under this Agreement;
3.3.6.2. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
3.3.6.3. any Security Incident;
3.3.6.4. any notice, inquiry or investigation by a Supervisory Authority; and
3.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects without responding that request, unless Client has authorized a response;
3.3.7. to fully co-operate with and assist Client or any Data Controller, unless the disclosure is required by law.
2.3.9 The Data Processor will transfer or store the Personal data only as applicable, permitted in Schedule B.
2.3.10 The Data Processor will not sub-contract any of the processing without delay in respect of that explicit written agreement from the Data Controller’s obligations regarding:
3.3.7.1. requests from data subjects , detailed in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Data. In the event that a data subject sends Schedule B. Where such a request directly to the Data Processorwritten agreement is provided, the Data Processor will pass ensure that any sub-contractor it on uses to Client without delay;process the personal data complies with the terms of this agreement.
3.3.7.22.3.11 The Data Processor will employ appropriate operational and technological processes and procedures summarised in Schedule E to keep the Personal Data safe from unauthorised use or access, loss, destruction, theft or disclosure. the investigation of any Security Incident The organisational, operational and the notification technological processes and procedures adopted are required to be appropriate to the Supervisory Authority and data subjects in respect of such Security Incidents;
3.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authority;
3.3.7.4. the security of Personal Data, including by implementing the Technical and Organizational Security Measures;
3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating services being provided to the Data Processor’s Controller.
2.3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of Personal the personal data covered by this agreement within 2 working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data whether such inquiry is made by Client, a particular Processor will cooperate with the Data Controller's Compliance and Information Security staff whilst they carry out a risk assessment, a root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties.
2.3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data subject is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or any Supervisory Authority;secure deletion using appropriate methods.
3.3.9. if 2.3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is required by law adhering to process Personal Data, inform Client the terms of this requirement in advance of any processingagreement. Where a sub-contractor is used, unless the Data Processor is prohibited from informing Client on grounds of important public interest; and
3.3.10. make available to Client (and, to the extent strictly required by law, agrees that the Data ControllerController may also, as applicable) all information necessary to demonstrate compliance with the obligations in this Clause 3.
3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with upon giving reasonable notice and during regular within normal business hours hours, carry out compliance and under a duty information security audits and checks of confidentiality, by Client and/or by a third party appointed by Clientthe sub-contractor to ensure adherence to the terms of this agreement.
Appears in 1 contract
Sources: Data Processing Agreement
OBLIGATIONS OF THE DATA PROCESSOR. 3.14.1. The Data Processor carries out the processing of Personal Relevant Data on behalf of the Data ControllersController.
3.24.2. In discharging its obligations under the Agreement and this Data Sharing Agreement, the Data Processor is parties are responsible for its compliance with Applicable Data Protection Law all applicable data protection or privacy legislation and will ensure that all necessary registrations and notifications are made and provide Client the other party with a copy, on request, of evidence of such and evidence of any amendments or alterations made thereto.
3.34.3. The Without prejudice to the generality of clause 4.2 and further to the provisions of Article 28 of the GDPR, the Data Processor agrees that it will:
3.3.14.3.1. process Personal Relevant Data only on behalf of the Data Controllers Controller and in compliance with the Data Controllers’ Controller’s instructions (which may be provided by Clientincluding relating to international data transfers), this Data Sharing Agreement and this Agreement, the Agreement and it shall not disclose Personal Relevant Data to any third party (including for back-up purposes) apart from the sub-processors authorized authorised by Client (acting on behalf of the Data Controllers, as applicable) Controller under this Data Sharing Agreement. , and which are listed in Schedule B. If the Data Processor cannot provide such compliance, it shall promptly inform Client the Data Controller of its inability to comply, comply in which case Client the Data Controller is entitled to immediately terminate the Agreement and this Data Sharing Agreement and the Data Processor’s access to Personal Relevant Data and/or to take any other reasonable action;
3.3.24.3.2. immediately inform Client if in the Data Processor’s opinion an instruction from Client the Data Controller infringes Applicable Data Protection Law, immediately inform the Data Controller;
3.3.34.3.3. implement the Technical technical and Organizational Security Measures organisational security measures provided for in Schedule C prior to the launch of the processing activities for the Personal Relevant Data and provide Client the Data Controller with copies of its privacy and security policies;
3.3.44.3.4. take all reasonable steps to ensure that (i) persons employed by it, ; and (ii) other persons engaged at its place of business, who will process Personal Data Relevant Data, are aware of of, and comply with this Data Sharing Agreement; and that there is a Data Protection Officer whose primary concern is enabling compliance with the GDPR;
3.3.54.3.5. comply with strict confidentiality obligations in respect of the Personal Relevant Data and ensure that its employees, authorized authorised agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Relevant Data, including after the end of their employment, contract or at the end of their assignment;
3.3.64.3.6. inform Client the Data Controller without delay of:
3.3.6.14.3.6.1. any non-compliance by the Data Processor or its employees with this Data Sharing Agreement or the regulatory provisions relating to the protection of Personal Relevant Data processed under this Data Sharing Agreement;
3.3.6.24.3.6.2. any legally binding request for disclosure of Personal Relevant Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
3.3.6.34.3.6.3. any Security Incidentincident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Relevant Data;
3.3.6.44.3.6.4. any notice, inquiry or investigation by a Supervisory Authoritysupervisory authority; and
3.3.6.54.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Personal Relevant Data) received directly from the data subjects without responding to that request, unless Client the Data Controller has authorized authorised a response;
3.3.74.3.7. to fully co-operate with and assist Client or any the Data Controller, as applicable, Controller without delay in respect of that the Data Controller’s obligations regarding:
3.3.7.14.3.7.1. requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Personal Relevant Data. In the event that a data subject sends such a request directly to the Data Processor, the Data Processor will pass it on to Client the Data Controller without delay;
3.3.7.24.3.7.2. the investigation of any Security Incident incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Relevant Data and the notification to the Supervisory Authority supervisory authority and data subjects in respect of such Security Incidentsincidents;
3.3.7.34.3.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the Supervisory Authoritysupervisory authority;
3.3.7.44.3.7.4. the security of Personal Relevant Data, including by implementing the Technical technical and Organizational Security Measuresorganisational security measures provided for in Schedule C;
3.3.8. deal promptly, properly and in good faith with all reasonable inquires relating to the Data Processor’s processing of Personal Data whether such inquiry is made by Client, a particular Data Controller, a data subject or any Supervisory Authority;
3.3.94.3.8. if the Data Processor is required by law to process Personal Relevant Data, inform Client the Data Controller of this requirement in advance of any processing, unless the Data Processor is prohibited from informing Client the Data Controller on grounds of important public interest; and
3.3.104.3.9. make available to Client (and, to the extent strictly required by law, the Data Controller, as applicable) Controller all information necessary to demonstrate compliance with the obligations in this Clause 34.
3.4. The Data Processor agrees at the request of Client to submit its data processing facilities and/or any location from which Personal Data can be accessed by the Data Processor for audit to ascertain and/or monitor compliance with this Agreement, the GDPR and any other applicable data protection or privacy law generally. Such audit shall be carried out, with reasonable notice and during regular business hours and under a duty of confidentiality, by Client and/or by a third party appointed by Client.
Appears in 1 contract
Sources: Data Processing Agreement