Processing of Sensitive Personal Data Clause Samples

The "Processing of Sensitive Personal Data" clause defines the rules and conditions under which sensitive personal information—such as health records, biometric data, or information revealing racial or ethnic origin—may be collected, used, stored, or shared by the parties involved. Typically, this clause outlines the need for explicit consent from individuals, specifies the security measures required to protect such data, and may restrict processing to only what is strictly necessary for the contract’s purposes. Its core function is to ensure compliance with data protection laws and to safeguard individuals’ privacy by imposing stricter controls on the handling of particularly sensitive information.
POPULAR SAMPLE Copied 1 times
Processing of Sensitive Personal Data. 10.1 This paragraph 10 shall apply to “Sensitive Personal Data” being personal information revealing or concerning (directly or indirectly) racial or ethnic origin, political affiliations or opinions, religious or philosophical beliefs, trade-union membership or membership of other parties, associations or organisations of a religious, philosophical, political or trade- union nature, physical or mental health or condition including addictions, sex life, private life, social aid, the commission or alleged commission of any criminal offence or proceedings in relation thereto, other criminal behaviour or unlawful or objectionable conduct, administrative proceedings and sanctions and other judicial data. 10.2 Any transport of hardware or other physical media containing Sensitive Personal Data may only be carried out after such Sensitive Personal Data have been encrypted, using an appropriate encryption algorithm and cryptosystem. 10.3 Any transfer of Sensitive Personal Data via any telecommunications system or network may only be carried out after such Sensitive Personal Data have been encrypted, using an appropriate encryption algorithm and cryptosystem. 10.4 Each access to Sensitive Personal Data (whether manual or electronic) must be recorded indicating: (a) the date and time; (b) the identity of the user; (c) the file to which the user has had access; (d) the kind of access (e.g. read only); and (e) whether the access has been authorised or refused. Such record must be kept for at least two (2) years from the date it is entered. IHS Markit shall make such record available to Customer upon reasonable request and shall additionally submit a summary report of the access record on a monthly basis to Customer. 10.5 Back up copies shall be made of the Sensitive Personal Data and stored at a location which is different to the location where the Sensitive Personal Data are located, such storage to comply with the security requirements set out in these Information Security Terms. If the Sensitive Personal Data is taken off site, it shall be encrypted using an agreed encryption algorithm and cryptosystem. 10.6 Any maintenance on devices that store, or previously stored, Sensitive Personal Data, which requires the media to be removed from site must ensure that data is cleansed, or wiped, using the agreed cleaning process.
View SourceView Similar (5)
Processing of Sensitive Personal Data. To the extent that Vertice processes Sensitive Personal Data and the security measures referred to in this document are deemed to provide insufficient protection, Customer may request that Vertice implement additional security measures.
View SourceView Similar (3)
Processing of Sensitive Personal Data a. Where the transfer involves Sensitive Personal Data, the Data Importer shall apply the specific restrictions and/or additional safeguards described in Annex C to this Agreement. b. Where the transfer involves Personal Data concerning children or adolescents, the Data Importer shall privi- lege the protection of their superior interests, in accordance with the Convention on the Rights of the Child and other international instruments.
View SourceView Similar (3)
Processing of Sensitive Personal Data a. Where the transfer involves Sensitive Personal Data, the Data Importer shall apply specific restrictions and additional safeguards adapted to the specific nature of the data and the risk involved. b. These measures may consist of, for example, restricting the personnel permitted to access the Personal Data, special confidentiality agreements, additional security measures (such as Anonymization), and/or additio- nal restrictions related to Onward Transfers. c. Where the transfer involves Personal Data concerning children or adolescents, the Parties shall privilege the protection of their superior interests, in accordance with the Convention on the Rights of the Child and other international instruments.
View SourceView Similar (2)
Processing of Sensitive Personal Data. Customer agrees that it shall not use the Outreach Services to Process Sensitive Personal Data without Outreach’s explicit and prior written consent.
View Source
Processing of Sensitive Personal Data. To the extent that Cisco processes Sensitive Personal Data and the security measures referred to in this document are deemed to provide insufficient protection, Customer may request that Cisco implement additional security measures.
View Source
Processing of Sensitive Personal Data. (1) Sensitive Personal Data shall not be Processed unless– (a) the Data Subject has given an additional written consent to the Processing of this kind of Personal Data; (b) Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller; (c) Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent; (d) Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non‐profit‐seeking body on condition that the Processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data are not disclosed to a Third Party without the consent of the Data Subjects; (e) the Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims; (f) Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject; (g) Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation; (h) Processing is necessary to comply with any regulatory, auditing, accounting, anti‐ money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime; or (i) Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those Personal Data are Processed by a health professional subject under law or rules established by competent bodies to the obligation of confidence or by another person subject to an equivalent obligation. (2) Subsection (1) shall not apply if– (a) a permit has been obtained from the Registrar to Process Sensitive Personal Data; and (b) the Data Controller applies adequate safeguards with respect to the Processing of the Personal Data.
View Source
Processing of Sensitive Personal Data. Customer will not submit sensitive personal data to the Outreach Services without written consent from Outreach or agreement from Outreach to enter into a business associate agreement. In such cases, the parties acknowledge that limited special categories of personal data may incidentally be entered by Customer through Customer’s use of the Services in the regular course of business.
View Source

Related to Processing of Sensitive Personal Data

  • Processing of Customer Personal Data 3.1 UKG will: 3.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and 3.1.2 not Process Customer Personal Data other than for the purpose, and in accordance with, the relevant Customer’s instructions as documented in the Agreement and this DPA, unless Processing is required by the Data Protection Laws to which the relevant UKG Processor is subject, in which case UKG to the extent permitted by the Data Protection Laws, will inform Customer of that legal requirement before the Processing of that Customer Personal Data. 3.2 Customer hereby: 3.2.1 instructs UKG (and authorizes UKG to instruct each Subprocessor) to: (a) Process Customer Personal Data; and (b) in particular, transfer Customer Personal Data to any country or territory subject to the provisions of this DPA, in each case as reasonably necessary for the provision of the Services and consistent with the Agreement. 3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in Section 3.2.1 on behalf of each relevant Customer Affiliate; and 3.2.3 warrants and represents that it has all necessary rights in relation to the Customer Personal Data and/or has collected all necessary consents from Data Subjects to Process Customer Personal Data to the extent required by Applicable Law. 3.3 Schedule 1 to this DPA sets out certain information regarding UKG’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR (and equivalent requirements of other Data Protection Laws).

  • Processing Personal Data This ▇▇▇▇▇ shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Buyer at its absolute discretion.

  • Processing of Personal Data 1.1. With regard to the Processing of Personal Data, You are the controller and determine the purposes and means of Processing of Personal Data You provide to Us (“Controller”) and You appoint Us as a processor (“Processor”) to process such Personal Data (hereinafter, “Data”) on Your behalf (hereinafter, “Processing”). 1.2. The details of the type and purpose of Processing are defined in the Exhibits attached hereto. Except where the DPA stipulates obligations beyond the Term of the Agreement, the duration of this DPA shall be the same as the Agreement Term. 1.3. You shall be solely responsible for compliance with Your obligations under the applicable Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Us by upload of source data into the Cloud Service or otherwise. 1.4. Processing shall include all activities detailed in this Agreement and the instructions issued by You. You may, in writing, modify, amend, or replace such instructions by issuing such further instructions to the point of contact designated by Us. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes. You shall, without undue delay, confirm in writing any instruction issued orally. Where We believe that an instruction would be in breach of applicable law, We shall notify You of such belief without undue delay. We shall be entitled to suspend performance on such instruction until You confirm or modify such instruction. 1.5. We shall ensure that all personnel involved in Processing of Customer Data and other such persons as may be involved in Processing shall only do so within the scope of the instructions. We shall ensure that any person Processing Customer Data is subject to confidentiality obligations similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Processing.

  • Handling Sensitive Personal Information and Breach Notification A. As part of its contract with HHSC Contractor may receive or create sensitive personal information, as section 521.002 of the Business and Commerce Code defines that phrase. Contractor must use appropriate safeguards to protect this sensitive personal information. These safeguards must include maintaining the sensitive personal information in a form that is unusable, unreadable, or indecipherable to unauthorized persons. Contractor may consult the “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” issued by the U.S. Department of Health and Human Services to determine ways to meet this standard. B. Contractor must notify HHSC of any confirmed or suspected unauthorized acquisition, access, use or disclosure of sensitive personal information related to this Contract, including any breach of system security, as section 521.053 of the Business and Commerce Code defines that phrase. Contractor must submit a written report to HHSC as soon as possible but no later than 10 business days after discovering the unauthorized acquisition, access, use or disclosure. The written report must identify everyone whose sensitive personal information has been or is reasonably believed to have been compromised. C. Contractor must either disclose the unauthorized acquisition, access, use or disclosure to everyone whose sensitive personal information has been or is reasonably believed to have been compromised or pay the expenses associated with HHSC doing the disclosure if: 1. Contractor experiences a breach of system security involving information owned by HHSC for which disclosure or notification is required under section 521.053 of the Business and Commerce Code; or 2. Contractor experiences a breach of unsecured protected health information, as 45 C.F.R. §164.402 defines that phrase, and HHSC becomes responsible for doing the notification required by 45 C.F.R. §164.404. HHSC may, at its discretion, waive Contractor's payment of expenses associated with HHSC doing the disclosure.

  • Personal Data Registry Operator shall (i) notify each ICANN-­‐accredited registrar that is a party to the registry-­‐registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person (“Personal Data”) submitted to Registry Operator by such registrar is collected and used under this Agreement or otherwise and the intended recipients (or categories of recipients) of such Personal Data, and (ii) require such registrar to obtain the consent of each registrant in the TLD for such collection and use of Personal Data. Registry Operator shall take reasonable steps to protect Personal Data collected from such registrar from loss, misuse, unauthorized disclosure, alteration or destruction. Registry Operator shall not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars.