Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation. (4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 4 contracts
Sources: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Obligations of the Processor. (1) The processor Processor confirms that it is obliged to maintain strict confidentiality during processing and shall process personal aware of the relevant data only as contractually agreed or as instructed by protection regulations. The Processor will organize its internal procedures in such a way that it meets the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the special requirements of data provided for processing for any other purpose, in particular for his own purposesprotection.
(2) The processor assures Processor provides adequate guarantees that appropriate technical and organizational measures are in place to ensure that the persons employed by him for processing have been made familiar complies with the relevant provisions of data protection rules and this Agreement prior to commencement the rights of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to the data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitationsubject.
(3) Persons who may gain knowledge The Processor warrants that it will familiarize the personnel involved in the performance of the work with the applicable data processed on behalf of protection provisions and that persons authorized to process the controller must commit in writing to maintain confidentiality, unless they personal data are already legally bound by confidentiality or are subject to a relevant an appropriate statutory confidentiality obligation. It monitors compliance with data protection regulations.
(4) The processor confirms that he is aware Processor may access personal data of the relevant general data protection regulations. He shall comply with the principles Controller for purposes of proper data processing and ensure proper data on behalf only if this is indispensable for processing by means of ongoing monitoring and regular checksthe data.
(5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request.
(6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall Processor will appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement.
(11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must will be communicated to the controller without delayController to enable direct contact.
(126) The processor Processor may process the personal data provided to it exclusively in the territory of the Federal Republic of Germany or in a member state of the European Union. Processing personal data in a third country requires the Controller's prior approval and may only be done when the special legal requirements are complied with.
(7) The Processor shall comply support the Controller with all principles set out appropriate technical and organizational measures to enable the Controller to fulfil its existing obligations towards the data subject, e.g. information and disclosure to the data subject, correction or deletion of data, restriction of processing or the right to data transferability and objection. The Processor shall appoint a contact person who will assist the Controller in complying with legal information and disclosure obligations arising in connection with data processing on behalf and shall inform the Controller of the contact details without delay. Insofar as the Controller is subject to special legal obligations to provide information in the event of unlawful knowledge of data, the Processor shall support the Controller in this. The Processor may only provide information to the data subject or third parties after being instructed accordingly by the GÉANT Data Protection Code of Conduct in its most current versionController. If a person concerned asserts his or her rights under data protection law directly against the Processor, which will be made available the Processor shall immediately forward this request to the processor by the controller upon requestController.
Appears in 2 contracts
Sources: Data Processing Agreement, Data Processing Agreement
Obligations of the Processor. (1a) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes.
(2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor Processor shall ensure that persons assigned authorised by the Processor to process the personal data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge of the data processed on behalf of the controller must commit Controller, in writing to maintain confidentialityparticular the Processor's employees as well as employees of any Subprocessors, unless they are already legally subject to a relevant binding obligation of confidentiality obligationand that such persons process any personal data to which they have access in compliance with the Controller's instructions.
(4b) The processor confirms that he is aware Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the relevant general data protection regulationsController. He shall comply with The Processor may amend the principles of proper data processing technical and ensure proper data processing by means of ongoing monitoring organisational measures from time to time provided that the amended technical and regular checksorganisational measures are not less protective than those set out in Annex 2.
(5c) In connection The Processor shall make available to the Controller any information necessary to demonstrate compliance with the commissioned obligations of the Processor relating to information security as required by Applicable data processingprotection law and by this Schedule to the extent applicable to the Services. The Processor is in particular obliged to allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the processor Controller or another auditor mandated by the Controller in relation to the processing of the personal data. The Processor’s contribution to such audits shall assist be proportionate to the controller in drawing up nature and updating purpose of the record processing and subject to receipt by the Processor of reasonable notice.
(d) The Processor shall notify the Controller (using the contact details provided by the Controller) without undue delay of becoming aware of a personal data breach and the Processor will provide reasonable assistance to the Controller with the Controller's obligation under Applicable Data Protection Laws to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing activities and in carrying out the information available to the Processor. For the avoidance of doubt, these obligations shall not be construed as an acknowledgement by the Processor of any liability for a Personal Data Breach or failure to prevent it.
(e) The Processor shall provide reasonable assistance (taking account of the nature of the processing and the information available to the Processor) to the Controller with its obligation under Applicable Data Protection Laws, to carry out:
a. a data protection impact assessment. All necessary information and documentation shall be provided and forwarded ; and
b. prior consultation with the supervisory authorities that relates to the controller upon requestServices provided by the Processor to the Controller under this Schedule by providing the necessary and available information to the Controller on reasonable request to allow it to meet its obligations under the Applicable Data Protection Laws.
(6f) If The Processor shall, at the controller is subject to an inspection by supervisory authorities option of the Controller, delete or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller return to the extent necessary, as far as the Controller all personal data processing activities carried out which are processed by the processor are concernedProcessor on behalf of the Controller under this Schedule after the end of the provision of the Services, and delete any existing copies unless Applicable Data Protection Laws require the Processor to retain such personal data. For the avoidance of doubt, this obligation shall not be infringed by the shredding of material containing personal data which was provided to the Processor by the Controller for destruction in the normal course of the Services.
(7g) The processor Processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for designate a data protection without delay.
(8) The processor shall not provide information officer and/or a representative, to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officerApplicable Data Protection Law. The controller may contact the data protection officer directly. The processor Processor shall inform the controller of the provide contact details of the data protection officer or of and/or representative, if any, to the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officerController.
(10h) The Processor shall not process personal data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent outside of the controller and under country where the conditions contained in Chapter V of personal data was originally received from the GDPR and in compliance with the provisions of this AgreementController.
(11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 2 contracts
Obligations of the Processor. (1) The processor is obliged Within the scope of this Data Processing Covenant, and in its use of the services, the Processor shall be solely responsible for complying with the statutory requirements relating to maintain strict confidentiality during processing data protection and shall privacy, in particular regarding the disclosure of Personal Data to other entities except the Controller, and the Processing of Personal Data. Processor must process personal data only as contractually agreed or as instructed by in accordance with present arrangements and the controllerinstructions of Controller, unless required to otherwise process the processor is required data by investigations, by law to carry out a specific processing activityenforcement or national security agencies. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall Processor may not use the personal data provided for processing for any other purpose, in particular particularly for his its own purposes.
(2) The processor assures that . Copies or duplicates of the persons employed by him for processing have been made familiar personal data must not be created without Controller’s knowledge. Processor undertakes to provide Controller with the relevant provisions information about the fulfillment of data protection the connection between the processor and this Agreement prior to commencement of processingthe Customer, as provided in Clause 9.2. Appropriate training and awareness-raising measures shall be repeated at regular intervalslit. The processor shall ensure t. Processor guarantees that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge of the data processed on behalf for Controller will be strictly separated from other data. If the Processor believes that an Instruction of the controller must commit in writing to maintain confidentialityController infringes the Data Protection Law, unless they are already legally subject to a relevant confidentiality obligation.
(4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks.
(5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request.
(6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor it shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEAController without delay. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement.
(11) If the processor is Processor cannot established in the European Union, he shall appoint a responsible contact person in the European Union process Personal Data in accordance with Art. 27 GDPR. The contact details the Instructions due to a legal requirement under any applicable European Union or United States law, the Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the contact person affected Personal Data) until such time as well the Controller issues new instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under this Data Processing Covenant for any failure to perform the applicable services until such time as all changes the Controller issues new instructions in regard to the Processing. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, but are not be limited to: the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control), the prevention of Personal Data Processing systems from being used without authorization (logical access control), ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the contact person must course of Processing or use and after storage, Personal Data cannot be communicated read, copied, modified or deleted without authorization (data access control), ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control), ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control), ensuring that Personal Data is Processed solely in accordance with the controller without delayInstructions (control of instructions), ensuring that Personal Data is protected against accidental destruction or loss (availability control).
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Terms of Use Agreement
Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing Processor processes Personal Data solely and shall process personal data only as contractually agreed in full compliance with the Regulations and instructions of the Controller or as instructed otherwise required in this Agreement. This obligation also applies to transfers by the controllerProcessor of Personal Data to a third country or an international organisation, unless the processor Processor is required to do so by law the Regulations or laws to carry out which the Processor is subject. In such a specific processing activity. If such obligations exist for the processorcase, the processor Processor shall notify inform the controller thereof prior to Controller of such legal requirements before processing, unless that law prohibits such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposesinformation on important grounds of public interest.
(2) The processor assures Processor and Controller agree that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement and the Synology C2 Service Agreement represents the Controller’s complete and final instructions to the Processor. Processing outside the scope of this Agreement (if any) will require prior to commencement of written agreement between both parties on additional instructions for processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure Controller may terminate this Agreement if the Processor declines to follow instructions requested by the Controller that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to outside the fulfilment scope of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge In the performance of this Agreement, the Controller shall immediately confirm any oral instructions in writing.
(4) Copies or duplicates of the data processed on behalf of the controller must commit in writing to maintain confidentialityController shall never be created without the knowledge of the Controller, unless with the exception of back-up copies as far as they are already legally subject necessary to a relevant confidentiality obligation.
(4) The processor confirms that he is aware of ensure orderly data processing, as well as data required to meet regulatory requirements to retain data under the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checksRegulations.
(5) In connection with The Processor may not on its own authority rectify, erase, or restrict the commissioned processing of data processingthat is being processed on behalf of the Controller or port/transfer any such data to any third party, but do so only on documented instructions from the Controller. When a Data Subject contacts the Processor directly concerning a rectification, erasure, or restriction of processing or to exercise the right of portability, the processor shall assist Processor will immediately forward the controller Data Subject’s request to the Controller. Insofar as it is included in drawing up the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation access shall be provided and forwarded to ensured by the controller upon requestProcessor in accordance with documented instructions from the Controller without undue delay.
(6) If The Processor shall inform the controller Controller immediately if the Processor considers that an instruction of the Controller violates the GDPR (with regard to Art. 28 Paragraph 3 Sentence 3) or the Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them.
(7) In addition to complying with the rules set out in this Agreement, the Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. Accordingly, the Processor assures particularly compliance with the following requirements:
a) The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so by law (Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR).
b) The Processor must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, port, erase or object to the processing of their Personal Data.
c) The Processor must assist the Controller to comply with requests from the supervisory authority. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks.
d) Designation of Data Protection Officer / Contact Person / Representative Synology’s Data Protection Team can be contacted at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/en- global/form/privacy_issue. The Controller shall be informed immediately of any change of Data Protection Officer.
e) The Controller shall be informed immediately of any inspections and measures conducted by the relevant supervisory authority as described in Point 9 of this Agreement, insofar as they relate to the processing of this Agreement.
f) Insofar as the Controller is subject to an inspection by a supervisory authorities authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other bodies, or if claim in connection with the Agreement data subjects claim rights against himprocessing by the Processor, the processor is obliged Processor shall make every effort to support the controller to the extent necessary, as far as the data processing activities carried out by the processor Controller. Further assistance duties are concerned.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes described in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions Point 8 of this Agreement.
(11g) If The Processor shall assist the processor is not established Controller in ensuring compliance with the European Union, he shall appoint a responsible contact person obligations pursuant to Articles 32 to 36 as described in the European Union Point 9 of this Agreement.
h) Implementation of and compliance with all Technical and Organisational Measures necessary for this Agreement in accordance with Art. 27 Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR. The contact details of the contact person , as well as all changes detailed in the contact person must be communicated to the controller without delayAppendix.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Data Processing Agreement
Obligations of the Processor. 1. The Processor shall be a processor within the meaning of Art 4(8) GDPR with respect to any information pursuant to Section 1.2 of this Agreement that relates to identified or identi- fiable persons within the meaning of Art 4(1) GDPR (1"personal data") that is provided to it in connection with the performance of the activities referred to in Section 1.1.
2. The processor is Processor undertakes to process data and processing results during the performance of the activities described under item 1.1 exclusively within the scope of the Controller's written orders. If the Processor receives an official order to release data of the Controller, the Processor shall - to the extent permitted by law - immediately inform the Controller thereof and refer the authority to the Controller. Similarly, processing of the data for the Pro- cessor's own purposes requires a written order.
3. The Processor declares in a legally binding manner that it has obliged all persons entrusted with the data processing to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes.
(2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processingthe activity or that they are subject to an appropriate legal obligation of confidentiality within the meaning of Art 28 (3) lit b DSGVO and Section 6 DSG. Appropriate training In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after termination of their activity and awareness-raising measures shall be repeated at regular intervalsleaving the Processor.
4. The processor Processor declares in a legally binding manner that it has taken sufficient measures to ensure the security of processing in accordance with Art 32 GDPR in order to prevent data from being used in an unlawful manner or from being made accessible to third parties with- out authorisation (for details, see ▇▇▇▇▇://▇▇▇.▇▇▇▇▇/wp-content/uploads/7/0/0000460307/an- lage-i-auftragsverarbeitung.pdf).
5. The Processor shall take the technical and organisational measures to ensure that persons assigned the Con- troller can fulfil the rights of the data subject under Chapter III of the GDPR (duty to inform, right to information, right to rectification and deletion, data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements portability, objection, as well as automated decision-making in individual cases) within the provisions resulting from statutory time limits at any time and shall provide the Controller with all information necessary for this Agreement, such as purpose. If a request to this effect is addressed to the controller’s authority Processor and if the Processor indicates that the applicant mistakenly believes it to issue directives and purpose limitation.
(3) Persons who may gain knowledge be the principal of the data processed on behalf processing carried out by it, the Proces- sor shall immediately forward the request to the principal and inform the applicant accord- ingly. The Processor shall be entitled to reasonable remuneration for the assistance.
6. The Processor shall support the Controller in complying with the obligations set out in Art 32 to 36 GDPR (data security measures, prompt notifications of personal data breaches to the supervisory authority, notification of the controller must commit in writing to maintain confidentialityperson affected by a personal data breach, unless they are already legally subject to a relevant confidentiality obligation.
(4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks.
(5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment, prior consultation).
7. All necessary information and documentation The Processor is advised that it must set up a processing directory for the present commis- sioned processing in accordance with Art 30 DSGVO.
8. With regard to the processing of the data provided by the Controller, the Controller shall be provided granted the right to inspect and forwarded control the data processing facilities at any time, including through third parties commissioned by the Client. The Processor undertakes to provide the controller upon requestController with the information necessary to monitor compliance with the obligations set out in this agreement.
(6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor 9. The Processor is obliged to support the controller to the extent necessarydestroy all processing results and documents containing data on its behalf after termination of this Processing Agreement. Display may, as far as however, further process the data processing activities carried out by itself as a data controller in the processor are concernedpublic interest for archival purposes.
(7) 10. The processor Processor shall inform the controller of inspections carried out Controller without undue delay if it believes that an instruction given by the Controller violates EU or on behalf of supervisory authorities for Member State data protection without delayprovisions.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement.
(11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: User Agreement
Obligations of the Processor. (1a) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes.
(2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor Processor shall ensure that persons assigned authorised by the Processor to process the personal data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge of the data processed on behalf of the controller must commit Controller, in writing to maintain confidentialityparticular the Processor's employees as well as employees of any Subprocessors, unless they are already legally subject to a relevant binding obligation of confidentiality obligationand that such persons process any personal data to which they have access in compliance with the Controller's instructions.
(4b) The processor confirms that he is aware Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the relevant general data protection regulationsController. He shall comply with The Processor may amend the principles of proper data processing technical and ensure proper data processing by means of ongoing monitoring organisational measures from time to time provided that the amended technical and regular checksorganisational measures are not less protective than those set out in Annex 2.
(5c) In connection The Processor shall make available to the Controller any information necessary to demonstrate compliance with the commissioned obligations of the Processor relating to information security as required by Applicable data processingprotection law and by this Schedule to the extent applicable to the Services. The Processor is in particular obliged to allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the processor Controller or another auditor mandated by the Controller in relation to the processing of the personal data. The Processor’s contribution to such audits shall be proportionate to the nature and purpose of the processing and subject to receipt by the Processor of reasonable notice.
(d) The Processor shall notify the Controller (using the contact details provided by the Controller) without undue delay of becoming aware of a Personal Data Breach and the Processor will assist the controller in drawing up Controller with the Controller's obligation under Applicable data protection laws to inform the data subjects and updating the record supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor. For the avoidance of doubt, these obligations shall not be construed as an acknowledgement by the Processor of any liability for a Personal Data Breach or failure to prevent it.
(e) The Processor shall provide reasonable assistance (taking account of the nature of the processing and the information available to the Processor) to the Controller with its obligation under Applicable data processing activities and in carrying out the protection laws, to carry out:
a. a data protection impact assessment. All necessary information and documentation shall be provided and forwarded ; and
b. prior consultation with the supervisory authorities that relates to the controller upon requestServices provided by the Processor to the Controller under this Schedule by providing the necessary and available information to the Controller on request to allow it to meet its obligations under the GDPR.
(6f) If The Processor shall, at the controller is subject option of the Controller, delete or return to an inspection the Controller all personal data which are processed by supervisory authorities the Processor on behalf of the Controller under this Schedule after the end of the provision of the Services, and delete any existing copies unless European Union or other bodiesMember State law requires the Processor to retain such personal data. For the avoidance of doubt, or if this obligation shall not be infringed by the shredding of material containing personal data subjects claim rights against himwhich was provided to the Processor by the Controller for destruction in the normal course of the Services.
(g) The Processor shall provide to the Controller the records of processing activities relating to the Services under this Schedule, the processor is obliged to support the controller to the extent necessary, as far as necessary for the data Controller to comply with its obligation to maintain records of processing activities carried out by the processor are concernedactivities.
(7h) The processor Processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for designate a data protection without delay.
(8) The processor shall not provide information officer and/or a representative, to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as Applicable data protection officer. It must be ensured that there are no conflicts of interest for the data protection officerlaw. The controller may contact the data protection officer directly. The processor Processor shall inform the controller of the provide contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement.
(11) If the processor is not established in the European Unionand/or representative, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated if any, to the controller without delayController.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Data Processing Agreement
Obligations of the Processor. (1) . The processor is obliged to maintain strict confidentiality during processing and Processor shall only process personal data only as contractually agreed or as instructed by the controllerController, unless the processor Processor is required by law legally obliged to carry out a specific processing activitytype of data processing. If Should the Processor be bound by such obligations exist for the processorobligations, the processor shall notify is to inform the controller Controller thereof prior to processingprocessing the data, unless such notification informing him/her is prohibited by lawillegal. Furthermore, the processor Processor shall not use the data provided for processing for any other purpose, in particular for his own purposesspecifically his/her own.
(2) . The processor assures Processor confirms that he/she is aware of the persons employed by him for processing have been made familiar with applicable legal provisions on data protection. He is to observe the relevant provisions principles of correct data protection and this Agreement prior to commencement of processing.
3. Appropriate training and awareness-raising measures The Processor shall be repeated at regular intervals. The processor shall ensure that persons assigned obliged to data maintain strict confidentiality when processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitationdata.
(3) Persons 4. Any individuals who may gain knowledge of could have access to the data processed on behalf of the controller Controller must commit be obliged in writing to maintain confidentiality, unless they are already legally subject required to a relevant confidentiality obligationdo so via another written agreement.
(4) 5. The processor confirms Processor shall ensure that he is the individuals he/she employs, who are to process the data, have been made aware of the relevant general data protection regulationsprovisions as well as this contract before starting to process the data. He The corresponding training and sensitization measures are to be appropriately carried out on a regular basis. The Processor shall comply ensure that the individuals tasked with processing the principles data are adequately instructed and supervised on an ongoing basis in terms of proper fulfilling data processing and ensure proper data processing by means of ongoing monitoring and regular checksprotection requirements.
(5) 6. In connection with the commissioned data processing, the processor shall assist Processor must support the controller in drawing up Controller when designing and updating the record list of data processing activities and in carrying out implementing the data protection impact assessment. All necessary information data and documentation shall required are to be provided and forwarded made immediately available to the controller Controller upon request.
(6) If 7. Should the controller is Controller be subject to an the inspection by of supervisory authorities or any other bodies, bodies or if data subjects claim should affected persons exercise any rights against himthe Controller, then the processor is Processor shall be obliged to support the controller Controller to the extent necessaryrequired, as far as if the data processing activities carried out by the processor are concerned.
(7) The processor shall inform the controller of inspections carried out by or being processed on behalf of supervisory authorities for data protection without delaythe Controller is affected.
(8) The processor shall not provide information 8. Information may be provided to third parties or by the Processor solely with the Controller’s prior consent. Inquiries sent directly to the data subject without the prior consent of the controller. Requests addressed directly to him shall Processor will be forwarded to the controller without delayController.
(9) To the extent required by law. If he/she is legally obliged to do so, the processor Processor shall appoint a competent professional and reliable person individual as the authorized data protection officer. It must be ensured that there are no the officer does not have any conflicts of interest for interest. In the data protection officer. The controller may event of any doubts, the Controller can contact the data protection officer directly. The processor shall inform Processor is to then immediately notify the controller of the contact details of the data protection officer or of the reasons provide a reason as to why no a data protection officer has not been appointed. The processor shall immediately Processor is to inform the controller Controller of any changes in to the person status of the data protection officerofficer or of any changes to his in-house tasks.
(10) The . Any data processing shall generally take place within may only be carried out in the EU or the EEAEEC. Any relocation change to a third third- party country may only take place with the Controller’s consent of the controller and under in accordance with the conditions contained stipulated in Chapter chapter V of the GDPR and in compliance with the provisions of this Agreementcontract.
(11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Data Processing Agreement
Obligations of the Processor. 1. The Processor Processes Personal Data only on the Controller’s documented instruction contained in this Agreement, agreement or otherwise transferred to the Processor, which also applies to the transfer of Personal Data to a third country or international organization, unless it is required to do so by law. In such case, before processing begins, the Processor will inform the Controller of such legal obligation.
2. The Processor may use the services of other processors that will act as a subcontractor in the provision of services under the Agreement, to which the Controller agrees. The list of other processors (1hereinafter: the “List") referred to in the previous sentence is attached as Appendix 1 to this Agreement.
3. Where specific Processing activities are performed on behalf of the Controller, the Processor, using the services of another processing entity referred to in para. 2 above, imposes on such other processor, under an agreement for further entrustment of Personal Data Processing, the same data protection obligations as those indicated in this Agreement, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the GDPR. If such other processor fails to fulfil its data protection obligations, the Processor will bear full liability towards the Controller for fulfilling the obligations of that other processor.
4. The Processor informs the Controller of any intended changes regarding the addition or replacement of other processors on the List. Within 21 days from the date of notification, the Controller may object to such changes, in which objection it will explain the grounds for non- acceptance of a new processor. Raising an objection means no consent to the addition or replacement of such a processor for further entrustment of Processing of Personal Data provided pursuant to this Agreement. In such case, unless it is possible to provide services under the Agreement, with the exclusion of the processor to which the Controller has objected, the Parties will have the right to terminate the Agreement with immediate effect.
5. When processing Personal Data, the Processor is obliged to maintain strict confidentiality during processing apply technical and shall process personal data organizational measures to ensure the protection of Personal Data, in accordance with Article 32 GDPR, and in particular the Processor will secure Personal Data against disclosure to unauthorized persons, loss, damage or destruction, including, but not limited to:
a) pseudonymization and encryption of Personal Data;
b) capability to continuously ensure the confidentiality, integrity, availability and resilience of Processing systems and services;
c) capability to quickly restore the availability of Personal Data and access to the same in the event of a physical or technical incident;
d) regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure security of Processing.
6. In order to perform the obligation referred to in the previous paragraph, the Processor is obliged to keep documentation describing the method of Personal Data Processing and the means indicated in the previous paragraph.
7. Any activities for Personal Data Processing may only as contractually agreed be undertaken by Personnel members who have previously obtained a written authorization from the Processor. Each authorization or as instructed its withdrawal must be entered by the controllerProcessor in the “Register of Persons Authorized to Process Personal Data”, unless which should contain the processor is required by law to carry out a specific processing activity. If such obligations exist for following data:
a) first name and surname of the processorauthorized person, the processor shall notify the controller thereof prior to processingb) date of granting and expiry, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes.
(2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreementscope of authorization to access Personal Data,
c) identifier, such as if Personal Data Processing is carried out using the controller’s authority to issue directives and purpose limitationInformation System.
(3) Persons who may gain knowledge 8. Personnel Members whom the Processor will use in performing this Agreement will be obliged by the Processor to keep confidentiality of Personal Data and apply protection measures for Processing of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligationsame.
(4) 9. The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks.
(5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request.
(6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor Processor is obliged to support train the controller to Personnel in the extent necessary, as far as ways of securing the data processing activities carried out by the processor are concernedProcessed Personal Data.
(7) The processor shall inform 10. Where applicable, the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to Processor, taking into account the data subject without the prior consent nature of the controller. Requests addressed directly Processing and the information available to him shall be forwarded it, will assist the Controller and provide necessary information in order for the Controller to the controller without delay.
(9) To the extent required properly fulfil its obligations provided for by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained particular those specified in Chapter V of the GDPR III and in compliance with the provisions of this Agreement.
(11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.Article 32-36
Appears in 1 contract
Sources: Data Processing Agreement
Obligations of the Processor. (1) The processor is obliged Processor undertakes to strictly maintain strict confidentiality during processing and shall to process personal data only Personal Data exclusively as contractually agreed or as instructed by the controllerController, unless the processor Processor is required by law legally obliged to carry out perform a specific processing activityprocessing. If such obligations exist for the processorit, the processor Processor shall notify the controller thereof Controller of them prior to processingthe Processing, unless such the notification is prohibited by law. Furthermore, the processor Processor shall not use the data provided for processing for any other purposepurposes, in particular for his its own purposes.
(2) The processor assures Processor warrants that the persons employed by him it for processing have been made familiar familiarized with the relevant provisions of data protection and this Agreement prior to commencement the start of processing. Appropriate Corresponding training and awareness-raising measures shall be repeated at on an appropriate regular intervalsbasis. The processor Processor shall ensure that persons assigned to data deployed for commissioned processing activities are appropriately instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of compliance with data protection requirements and that they comply with the statutory provisions on data protection as well as the provisions rules resulting from this Agreementcontract, such as the controller’s authority to issue directives binding of instructions and purpose limitation.
(3) Persons who may gain obtain knowledge of the data processed on behalf of in the controller must commit order shall undertake in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligationobligation by law.
(4) The processor Processor confirms that he it is aware of the relevant general data protection regulations. He It shall comply with observe the principles of proper data processing and shall ensure proper data processing by means of ongoing monitoring and regular checks.
(5) In connection with the commissioned data processing, the processor Processor shall assist support the controller Controller in drawing up and updating complying with the record obligations set forth in Articles 32 to 36 of data processing activities and in carrying out the GDPR, including the performance of a data protection impact assessment, as well as in creating and updating the list of processing activities pursuant to Article 30 of the GDPR. All necessary required information and documentation shall be kept available and provided and forwarded to the controller Controller, without undue delay, upon request.
(6) If the controller Controller is subject to an inspection by supervisory authorities or other bodies, bodies or if data subjects claim assert rights against himthe Controller, the processor is obliged Processor undertakes to support the controller Controller to the extent necessary, as far insofar as the data processing activities carried out by the processor are concernedon behalf is affected.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not Processor may only provide information to third parties or to the data subject without Data Subject, including the disclosure of personal data, with the prior consent of the controllerController. Requests The Processor shall immediately forward any inquiries addressed directly to him shall be forwarded it to the controller without delayController.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as 8) A data protection officer. It must be ensured that there are no conflicts of interest for officer has been appointed by the data protection officerProcessor. The controller may e-mail address ▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇ can be used to contact the data protection officer directly. The processor shall inform the controller of Changes to the contact details data of the data protection officer or shall be communicated to the Controller for the purpose of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officerdirect contact.
(109) The data As a matter of principle, commissioned processing shall generally take takes place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller Controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this AgreementGDPR.
(1110) If the processor Processor is not established in the European Union, he it shall appoint a responsible contact person in the European Union in accordance with Art. pursuant to Article 27 of the GDPR. The contact details of the contact person as well as all any changes in the person of the contact person must shall be communicated notified to the controller Controller without undue delay.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Commission Agreement
Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law Processor undertakes to carry out a specific processing activity. If such obligations exist for of personal data in respect of agreed personal data solely in accordance with the processorinstructions provided by the Controller under Item 5, the processor shall notify the controller thereof prior to processingbelow, unless such notification processing is required under union Law or the national law of a Member State to which the Controller is subject. In such cases, the Processor must notify the Controller about the legal requirement before the data is processed, provided such information is not prohibited by with reference to a substantial public interest under this law. FurthermoreThe Processor certifies that requisite technical and organizational protective measures are taken regarding the personal data, to ensure the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes.
(2) The processor assures that the persons employed by him for processing have been made familiar complies with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation.
(4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks.
(5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request.
(6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance protects the rights of the data subjects. The Processor ensures that persons within its organization with the provisions authority to process personal data are subject to confidentiality and under a non-disclosure agreement. Moreover, the Processor undertakes to give the Controller access to all the information required in order to show it has fulfilled all obligations as processor, and enable and contribute to inspections and other reviews the Personal Data Controller wishes to carry out. Moreover, the Processor shall assist the Controller, without delay, through appropriate organizational measures in order to ensure the Controller can fulfill its obligations to respond to the requests of this Agreement.
(11) If the processor is not established data subjects regarding access to personal data, correction or deletion of personal data, restriction of or objection to processing of personal data, data portability or other rights specified in the European UnionGeneral Data Protection Regulation (GDPR). The Processor shall provide assistance to the extent required in order for the Controller to be able to fulfill its other obligations under the General Data Protection Regulation (GDPR) or other applicable legislation, he shall appoint a responsible contact person such as those relating to security, reporting of and information provided to data subjects in the European Union in accordance event of personal data breaches, impact evaluations, and prior consultations with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delayregulatory authorities.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Personal Data Processing Agreement
Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing Processor processes Personal Data solely and shall process personal data only as contractually agreed in full compliance with the Regulations and instructions of the Controller or as instructed otherwise required in this Agreement. This obligation also applies to transfers by the controllerProcessor of Personal Data to a third country or an international organisation, unless the processor Processor is required to do so by law the Regulations or laws to carry out which the Processor is subject. In such a specific processing activity. If such obligations exist for the processorcase, the processor Processor shall notify inform the controller thereof prior to Controller of such legal requirements before processing, unless that law prohibits such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposesinformation on important grounds of public interest.
(2) The processor assures Processor and Controller agree that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement and the Synology C2 Service Agreement represents the Controller’s complete and final instructions to the Processor. Processing outside the scope of this Agreement (if any) will require prior to commencement of written agreement between both parties on additional instructions for processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure Controller may terminate this Agreement if the Processor declines to follow instructions requested by the Controller that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to outside the fulfilment scope of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation.
(3) Persons who may gain knowledge In the performance of this Agreement, the Controller shall immediately confirm any oral instructions in writing.
(4) Copies or duplicates of the data processed on behalf of the controller must commit in writing to maintain confidentialityController shall never be created without the knowledge of the Controller, unless with the exception of back-up copies as far as they are already legally subject necessary to a relevant confidentiality obligation.
(4) The processor confirms that he is aware of ensure orderly data processing, as well as data required to meet regulatory requirements to retain data under the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checksRegulations.
(5) In connection with The Processor may not on its own authority rectify, erase, or restrict the commissioned processing of data processingthat is being processed on behalf of the Controller or port/transfer any such data to any third party, but do so only on documented instructions from the Controller. When a Data Subject contacts the Processor directly concerning a rectification, erasure, or restriction of processing or to exercise the right of portability, the processor shall assist Processor will immediately forward the controller Data Subject’s request to the Controller. Insofar as it is included in drawing up the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation access shall be provided and forwarded to ensured by the controller upon requestProcessor in accordance with documented instructions from the Controller without undue delay.
(6) If The Processor shall inform the controller Controller immediately if the Processor considers that an instruction of the Controller violates the GDPR (with regard to Art. 28 Paragraph 3 Sentence 3) or the Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them.
(7) In addition to complying with the rules set out in this Agreement, the Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. Accordingly, the Processor assures particularly compliance with the following requirements:
a) The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so by law (Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR).
b) The Processor must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, port, erase or object to the processing of their Personal Data.
c) The Processor must assist the Controller to comply with requests from the supervisory authority. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks.
d) Designation of Data Protection Officer / Contact Person / Representative Synology’s Data Protection Team can be contacted at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇/form/privacy_issue. The Controller shall be informed immediately of any change of Data Protection Officer.
e) The Controller shall be informed immediately of any inspections and measures conducted by the relevant supervisory authority as described in Point 9 of this Agreement, insofar as they relate to the processing of this Agreement.
f) Insofar as the Controller is subject to an inspection by a supervisory authorities authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other bodies, or if claim in connection with the Agreement data subjects claim rights against himprocessing by the Processor, the processor is obliged Processor shall make every effort to support the controller to the extent necessary, as far as the data processing activities carried out by the processor Controller. Further assistance duties are concerned.
(7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay.
(8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay.
(9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes described in the person of the data protection officer.
(10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions Point 8 of this Agreement.
(11g) If The Processor shall assist the processor is not established Controller in ensuring compliance with the European Union, he shall appoint a responsible contact person obligations pursuant to Articles 32 to 36 as described in the European Union Point 9 of this Agreement.
h) Implementation of and compliance with all Technical and Organisational Measures necessary for this Agreement in accordance with Art. 27 Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR. The contact details of the contact person , as well as all changes detailed in the contact person must be communicated to the controller without delayAppendix.
(12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.
Appears in 1 contract
Sources: Data Processing Agreement