Processors and Sub-processors. (a) If the Partner appoints a third-party Processor to process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the University of Buckingham for the acts and/or omissions of the Processor. (b) Each Party is responsible for verifying the validity and suitability of any Processor before entering into a business relationship. (c) Each Party shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory Data Protection Laws requirements. (d) Each Party shall verify that any Processor has adequate and documented processes for Data Breaches, data retention and data transfers in place. (e) The Parties shall obtain evidence from any Processor as to the: - (i) verification and reliability of the employees used by the Processor (ii) certificates, accreditations and policies as referred to in the Supplier Security Assessment Questionnaire (iii) technical and operational measures described in Schedule 6 of this agreement (iv) procedures in place for allowing data subjects to exercise their rights, including (but not limited to), subject access requests, erasure & rectification procedures and restriction of processing measures (f) Where Each Party has authorised the use of any Sub-Processor by any Processor, each Party must verify that adequate data protection agreements are in place between the Processor and Sub-Processor. (g) Where Each Party has authorised the use of any Sub-Processor by any Processor, the details of the Sub-Processor must be added to Schedule 5 of the agreement between the Party and the Processor.
Appears in 2 contracts
Sources: Contract for Services, Contract for Services