Common use of Processing of personal data by the contractor Clause in Contracts

Processing of personal data by the contractor. The processing of personal data by the Contractor shall meet the requirements of Regulation (EU) No 2018/1725 and be processed on behalf of Fusion for Energy, as “processor” solely for the purpose set out by the Data Controller. The Contractor may act only on documented instructions and under the supervision of the Data Controller, in particular with regard to the purpose of the processing, the categories of data that may be processed, the recipients of the data and the means by which the data subject may exercise its rights. The Contractor shall have measures in place to ensure that the data subjects can exercise their rights. The Contractor may be asked by Fusion for Energy to use ITER Organization IT applications that store information in data centers or similar premises located on the territory of the European Union (incl. back-up storage). The Contractor shall assist the Data Controller in the fulfilment of its obligation to respond to requests for exercising rights of persons whose personal data is processed in relation to this Contract as laid down in Chapter III (Articles 14-25) of Regulation (EU) No 2018/1725. The Contractor shall inform without delay the Data Controller of such requests. The Contractor shall grant its Staff access to the data to the extent strictly necessary for the implementation, management and monitoring of the Contract. The Contractor must ensure that Staff authorised to process personal data has committed itself to confidentiality or is under appropriate statutory obligation of confidentiality in accordance with the provisions of Article II.24 (Confidentiality). The Contractor shall adopt appropriate technical and organisational security measures, addressing the risks inherent in the processing, the nature, the scope, the context and the purpose of the processing, in order to ensure, as appropriate: (a) the pseudonymisation and encryption of personal data. Data in transit on public networks (e.g. internet) shall be encrypted. Other security measures than encryption of stored data may be defined during contract implementation (b) the ability to ensure continuous confidentiality, integrity, availability and resilience of processing systems and services;

Processing of personal data by the contractor. The processing of personal data by the Contractor shall meet the requirements of Regulation (EU) No 2018/1725 and be processed on behalf of Fusion for Energy, as “processor” solely for the purpose set out by the Data Controller. The Contractor may act only on documented instructions and under the supervision of the Data Controller, in particular with regard to the purpose of the processing, the categories of data that may be processed, the recipients of the data and the means by which the data subject may exercise its rights. The Contractor shall have measures in place to ensure that the data subjects can exercise their rights. The Contractor may be asked by Fusion for Energy to use ITER Organization IT applications that store information in data centers or similar premises located on the territory of the European Union (incl. back-up storage). The Contractor shall assist the Data Controller in the fulfilment of its obligation to respond to requests for exercising rights of persons whose personal data is processed in relation to this Contract as laid down in Chapter III (Articles 14-25) of Regulation (EU) No 2018/1725. The Contractor shall inform without delay the Data Controller of such requests. The Contractor shall grant its Staff access to the data to the extent strictly necessary for the implementation, management and monitoring of the Contract. The Contractor must ensure that Staff authorised to process personal data has committed itself to confidentiality or is under appropriate statutory obligation of confidentiality in accordance with the provisions of Article II.24 II.23 (Confidentiality). The Contractor shall adopt appropriate technical and organisational security measures, addressing the risks inherent in the processing, the nature, the scope, the context and the purpose of the processing, in order to ensure, as appropriate: (a) the pseudonymisation and encryption of personal data. Data in transit on public networks (e.g. internet) shall be encrypted. Other security measures than encryption of stored data may be defined during contract implementation (b) the ability to ensure continuous confidentiality, integrity, availability and resilience of processing systems and services;

Processing of personal data by the contractor. The processing of personal data by the Contractor contractor shall meet the requirements of the general conditions and be processed solely for the purposes set out by the controller. The contractor shall assist the controller for the fulfilment of the controller’s obligation to respond to requests for exercising rights of person whose personal data is processed in relation to this contract as laid down in Chapter III (Articles 14-25) of Regulation (EU) No 2018/1725 and be processed on behalf of Fusion for Energy, as “processor” solely for the purpose set out by the Data Controller2018/1725. The Contractor contractor shall inform without delay the controller about such requests. The contractor may act only on documented written instructions and under the supervision of the Data Controllercontroller, in particular with regard to the purpose purposes of the processing, the categories of data that may be processed, the recipients of the data and the means by which the data subject may exercise its rights. The Contractor shall have measures in place to ensure that the data subjects can exercise their rights. The Contractor may be asked by Fusion for Energy to use ITER Organization IT applications that store information in data centers or similar premises located on the territory of the European Union (incl. back-up storage). The Contractor shall assist the Data Controller in the fulfilment of its obligation to respond to requests for exercising rights of persons whose personal data is processed in relation to this Contract as laid down in Chapter III (Articles 14-25) of Regulation (EU) No 2018/1725. The Contractor shall inform without delay the Data Controller of such requests. The Contractor contractor shall grant its Staff personnel access to the data to the extent strictly necessary for the implementation, management and monitoring of the Contractcontract. The Contractor contractor must ensure that Staff personnel authorised to process personal data has committed itself to confidentiality or is under appropriate statutory obligation of confidentiality in accordance with the provisions of Article II.24 (Confidentiality)9.7 of these general conditions. The Contractor contractor shall adopt appropriate technical and organisational security measures, addressing giving due regard to the risks inherent in the processing, processing and to the nature, the scope, the context and the purpose purposes of the processing, in order to ensure, in particular, as appropriate: (a) the pseudonymisation and encryption of personal data. Data in transit on public networks (e.g. internet) shall be encrypted. Other security measures than encryption of stored data may be defined during contract implementation; (b) the ability to ensure continuous the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; (e) measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. The contractor shall notify relevant personal data breaches to the controller without undue delay and at the latest within 48 hours after the contractor becomes aware of the breach. In such cases, the contractor shall provide the controller with at least the following information: (a) nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) likely consequences of the breach; (c) measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. The contractor shall immediately inform the data controller if, in its opinion, an instruction infringes Regulation (EU) 2018/1725, Regulation (EU) 2016/679, or other Union or Member State or third country applicable data protection provisions as referred to in the tender specifications. The contractor shall assist the controller for the fulfilment of its obligations pursuant to Article 33 to 41 under Regulation (EU) 2018/1725 to: (a) ensure compliance with its data protection obligations regarding the security of the processing, and the confidentiality of electronic communications and directories of users; (b) notify a personal data breach to the European Data Protection Supervisor; (c) communicate a personal data breach without undue delay to the data subject, where applicable; (d) carry out data protection impact assessments and prior consultations as necessary. The contractor shall maintain a record of all data processing operations carried on behalf of the controller, transfers of personal data, security breaches, responses to requests for exercising rights of people whose personal data is processed and requests for access to personal data by third parties. The contracting authority is subject to Protocol 7 of the Treaty on the Functioning of the European Union on the privileges and immunities of the European Union, particularly as regards the inviolability of archives (including the physical location of data and services) and data security, which includes personal data held on behalf of the contracting authority in the premises of the contractor or subcontractor. The contractor shall notify the contracting authority without delay of any legally binding request for disclosure of the personal data processed on behalf of the contracting authority made by any national public authority, including an authority from a third country. The contractor may not give such access without the prior written authorisation of the contracting authority. The duration of processing of personal data by the contractor will not exceed the period referred to in Article 9.10 of these general conditions. Upon expiry of this period, the contractor shall, at the choice of the controller, return, without any undue delay in a commonly agreed format, all personal data processed on behalf of the controller and the copies thereof or shall effectively delete all personal data unless Union or national law requires a longer storage of personal data. For the purpose of Article 6 of these general conditions, if part or all of the processing of personal data is subcontracted to a third party, the contractor shall pass on the obligations referred to in the present article in writing to those parties, including subcontractors. At the request of the contracting authority, the contractor shall provide a document providing evidence of this commitment.