Protection of Personal Data and Security of Data Clause Samples

Protection of Personal Data and Security of Data. 15.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation. 15.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Supplier is the data processor of any Personal Data. 15.3 The Supplier shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed. 15.4 Without limiting Clauses 15.2 and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff): (a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Term of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law; (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations; (c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services; (d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇); (e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access; (f) upon request by UKRI, promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation; (g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames; (h) provide such information and allow for and contribute to audits, including inspections, conducted by UKR...

Protection of Personal Data and Security of Data. 13.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing that the Contractor is authorised to do is listed in Schedule 1 by the Customer and may not be determined by the Contractor. 13.2. The Contractor shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation. 13.3. The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include: a. a systematic description of the envisaged processing operations and the purpose of the processing; b. an assessment of the necessity and proportionality of the processing operations in relation to the Services; c. an assessment of the risks to the rights and freedoms of Data Subjects; and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 13.4. The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: a. process that Personal Data only in accordance with Schedule 1 unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law; b. ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), having taken account of the: i. nature of the data to be protected; ii. harm that might result from a Data Loss Event; iii. state of technological development; and iv. cost of implementing any measures; c. ensure that : i. the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1); ii. it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they: 1. are aware of and comply with the Contractor’s duties under this clause; 2. are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; 3. are informed of...

Protection of Personal Data and Security of Data. The Contractor shall, and shall procure that all Staff shall, comply with any notification requirements under the DPA and both Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement.

Protection of Personal Data and Security of Data. Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a Party's obligations under the Data Protection Legislation.

Protection of Personal Data and Security of Data. The Supplier shall, and shall procure that all Staff shall, comply with any notification requirements under the GDPR and both Parties shall duly observe all their obligations under the GDPR which arise in connection with this Agreement.

Protection of Personal Data and Security of Data. 13.1. The Supplier shall, and shall procure that all Staff shall, comply with any notification requirements under the UK GDPR and both Parties shall duly observe all their obligations under the UK GDPR which arise in connection with the Agreement. 13.2. Notwithstanding the general obligation in clause 13.1, where the Supplier is processing Personal Data for the Customer as a data processor (as defined by the UK GDPR) the Supplier shall: 13.2.1. ensure that it has in place appropriate technical and organisational measures to ensure the security of the Personal Data (and to guard against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the UK GDPR; 13.2.2. provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the UK GDPR; 13.2.3. promptly notify the Customer of: 13.2.3.1. any breach of the security requirements of the Customer as referred to in clause 13.3; and 13.2.3.2. any request for personal data; and

Protection of Personal Data and Security of Data. 17.1 In this clause 17, the terms “processed”, "data controller” and “data processor” shall have the same meanings given to them under Data Protection Legislation.

Protection of Personal Data and Security of Data. 8.1 The Authority shall comply with any notification requirements under the DPA and both Parties shall duly observe all their obligations under the DPA which arise in connection with this Agreement. 8.2 Notwithstanding the general obligation in clause 8.1, where the Authority is processing ‘personal data’ on behalf of the Business as a ‘data processor’ (the aforementioned and foregoing wording in quotes being as defined by the DPA), the Authority shall take reasonable steps to: ensure that it has in place appropriate technical and organisational measures to ensure the security of the ‘personal data’ (and to guard against unauthorised or unlawful processing of ‘personal data’ and against accidental loss or destruction of, or damage to, the ‘personal data’), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA, having regard at all times to the state of technological development and the cost of implementing any measures; provide the Business with such information as the Business may reasonably request to satisfy itself that the Authority is complying with its obligations under the DPA; promptly notify the Business of any breach of the security requirements of the Business as referred to in clause 8.2(a); and ensure that it does not knowingly or negligently do or omit to do anything which places the Business in breach of the Business’ obligations under the DPA.

Protection of Personal Data and Security of Data. The Parties acknowledge that, for the purposes of Data Protection Law, the Authority is the Controller and the Supplier is the Processor. The only processing which the Authority has authorised the Supplier to do is described in the Specification.