Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at ▇▇▇▇▇://▇▇▇▇.▇▇/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.
Appears in 7 contracts
Sources: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Obligations of the Processor. 3.1 4.1.1. The Processor undertakes to carry out Data Processing exclusively on the basis of Process Personal data only in accordance with documented instructions from the ControllerController (the “Instructions” stated in Appendix 1) and Applicable Data Protection Legislation, unless otherwise provided by Applicable Data Protection Legislation. If Processing deviating from the Processor considers an instruction of the Controller to be unlawfulInstructions, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the required under Applicable Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA.
3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at ▇▇▇▇▇://▇▇▇▇.▇▇/en/legal in the current version.
3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller.
3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment.
3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this.
3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA.
3.8 To the extent permitted by lawProtection Legislation, the Processor shall inform the Controller of the legal requirement before Personal Data is Processed for that purpose, unless such information is prohibited with reference to an important public interest under Applicable Data Protection Legislation. This DPA and Appendix 1 sets out the Controller’s instructions to the Processor about control actions the subject-matter and measures taken duration of the Processing, the nature and purpose of the Processing, the type of Personal data and categories of Data subjects.
4.1.2. The Controller confirms that the Processor’s obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by the supervisory authorities insofar as they relate Processor. Any changes to the Controller's ’s instructions shall be negotiated separately and shall be made in writing and signed by both Parties.
4.1.3. The Processor shall without undue delay inform the Controller if the Processor believes that the Controller’s instructions regarding the Processing of Personal data are in violation of Applicable Data Processing operationsProtection Legislation.
4.1.4. The Processor shall assist the Controller with appropriate technical and organisational measures, taking into account, as far as possible, the nature of the processing and the information available to the Processor, in order for the Controller to comply with the requirements of Article 28 of the GDPR, and for the Controller to comply its obligations regarding: security in connection with the Processing, notification of a Personal data breach to the Supervisory authority, information to the Data subject about a Personal data breach, impact assessment regarding data protection and prior consultation (Articles 32-36 of the GDPR). The Processor shall also provide assistance to the Controller through appropriate technical and organisational measures so that the Controller can fulfil its duty regarding the rights of Data subjects in accordance with Chapter 3 of the GDPR.
4.1.5. The Processor shall, at the Controllers request, correct or delete incorrect, incomplete or outdated Personal data without undue delay.
Appears in 4 contracts
Sources: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA.
3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at ▇▇▇▇▇://▇▇▇▇.▇▇/en/legal in the current version.
3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller.
3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment.
3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this.
3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 4 of this DPA.
3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.
Appears in 3 contracts
Sources: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Obligations of the Processor. 3.1 5.1 The Processor undertakes to carry out Data Processing shall execute the data processing in accordance with applicable data protection laws of the EU and its member states as well as exclusively on within the basis scope of written orders and documented instructions from the ControllerSupplier, unless required otherwise by applicable data protection laws of the EU or its member states. In the latter case the Processor shall inform the Supplier of that legal requirement before commencement the data processing, unless such laws prohibit such information on important grounds of public interest. If the Processor considers receives an instruction official order to hand over personal data of the Controller Supplier, it shall – if permitted by law – inform the Supplier without delay and refer the authority to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controllerlatter.
3.2 5.2 The Processor shall be obliged to treat confidentially ensure that any personal data of which it becomes aware in connection persons commissioned with the Data Processingdata processing have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In particular, such confidentiality obligation of the persons commissioned with the data processing also remains after the termination of their activity and leaving from the Processor.
5.3 The Processor shall impose a confidentiality obligation on all persons authorized by it to process establish the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA.
3.3 The Processor shall take all necessary technical and organizational measures within in accordance with Article 32 GDPR. Such measures are available on the meaning of Art. 32 website of the GDPRProcessor under ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇/auftragsdatenverarbeitungsbedingungen. These technical and organizational The measures to be taken are measures of data security and measures to ensure that guarantee a protection level of protection appropriate to the risk with regard to concerning confidentiality, integrity, availability and the resilience of the systems. They shall take into account the The state of the art, the costs of implementation and costs, the nature, scope and purposes of the processing, processing as well as the varying likelihood probability of occurrence and the severity of the risk to the rights and freedoms of natural personspersons must be taken into account. The technical and organizational measures taken by are subject to technical progress and further development. In this respect, it is permissible for the Processor are available at ▇▇▇▇▇://▇▇▇▇.▇▇/en/legal in to implement alternative adequate measures. In so doing, the current versionsecurity level of the defined measures must not be reduced. Substantial changes must be documented.
3.4 5.4 The Processor shall, where possible, support shall establish the Controller with appropriate technical and organizational measures to enable the Controller Supplier to comply with fulfill at all times any obligation to respond to requests for exercising the data subject subject’s rights under laid down in Chapter III of the GDPR (rights to information, access, rectification and erasure, data portability, object and automated individual decision- making) within the legal time limits deadlines and shall provide to the Controller Supplier with the all information necessary information to do so upon the Controller's requestfor this, provided that such information is solely available from the Processor has such informationProcessor. If a subject submits a respective request is made to the Processor Processor, the latter indicates that the claimant mistakenly considers it to exercise be the Supplier of the operated data subject rightsapplication, the Processor shall be obliged to must immediately forward the request to the Controller if Supplier and notify the request relates to Data Processing by the Controllerclaimant thereof.
3.5 5.5 The Processor shall support assist the Controller Supplier in the performance of complying with the obligations incumbent upon the Controller pursuant referred to Art. in Articles 32 to 36 of the GDPRGDPR (concerning the security of personal data, which shall includereporting requirements for data breaches to the supervisory authority, but not be limited to, the implementation of security measures, the notification communications of data protection breaches andto the data subject, where applicable, the preparation of a data protection impact assessmentassessments and prior consultations).
3.6 The 5.6 Upon completion of the Service Agreement, the Processor shall delete the all personal data of the Data Processing after Supplier or on its documented instructions hand over such personal data to the expiry Supplier, unless the Processor is required to further storage of such personal data pursuant to applicable law of the retention periods provided for in EU or its member states.
5.7 With respect to the Main Agreement and/or without delay at data processing of its personal data the request Supplier shall be entitled to inspection and control of data processing equipment of the ControllerProcessor, which may also be conducted by a third auditor mandated by the Supplier. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this.
3.7 The Processor is obliged to provide to the Controller with Supplier all such information at the latter's request in order necessary to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the this Agreement on Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing obligations laid down in accordance with Section 5 of this DPAapplicable data protection laws.
3.8 To the extent permitted by law, the 5.8 The Processor shall inform the Controller about control actions Supplier immediately, if it considers that an instruction violates data protection regulations of the EU or its member states.
5.9 The Processor is obliged to appoint a data protection officer, who performs its duties in compliance with Articles 38 and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.39
Appears in 2 contracts
Sources: Data Processing Agreement, Data Processing Agreement