Protection of Personal Data and Security of Data. 15.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation. 15.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Supplier is the data processor of any Personal Data. 15.3 The Supplier shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed. 15.4 Without limiting Clauses 15.2 and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff): (a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Term of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law; (b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations; (c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services; (d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇); (e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access; (f) upon request by UKRI, promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation; (g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames; (h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Supplier's compliance with this Clause 15 and the Data Protection Legislation (i) on termination or expiry of this Contract, and at any other time on UKRI's request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and (j) notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection Legislation.
Appears in 8 contracts
Sources: Contract for Evaluation Services, Contract for Supply, Contract for Supply of Goods
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 13, the terms, "processes", "data controller" and "data processor" term “processed” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller Data Controller and the Supplier Contractor is the data processor Data Processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause 13.6(c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 13.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 13 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause 13.6(c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (i) such consent to be at the sole discretion of the Trust); without prejudice to clause 13.6(c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 13; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause 13.6(c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need-to-know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Working Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 13, then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 13 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 4 contracts
Sources: Service Contract, Contract Award Letter, Contract Award
Protection of Personal Data and Security of Data. 15.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation.
15.2 8.1 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller are separate and the Supplier is the data processor of any Personal Data.
15.3 independent controllers. The Supplier shall and shall procure that its staff and sub-contractors shall Parties will comply with all any obligations that they have under the Data Protection Legislation which arise in relation to any Personal Data processed.
15.4 Without limiting Clauses 15.2 connection with this Delegation Agreement and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff):will:
(a) process Personal any Data only in accordance with for the documented instructions received from UKRI and during the Term purposes of this Contract. The Supplier shall immediately inform UKRI if, Delegation Agreement and/or the proper performance of their statutory duties in the Supplier's opinionpursuit of the Audit Objective and / or for compliance with any legal or regulatory obligation;
(b) not disclose the whole or any part of the Data to any third party, an instruction from UKRI infringes except to the extent reasonably necessary for the purposes of this Delegation Agreement, the proper performance of their statutory duties in the pursuit of the Audit Objective and/or as required under the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligationslaw or regulation;
(c) disclose any Personal put in place and maintain appropriate technical and organisational measures to protect the Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Servicesagainst unauthorised or unlawful processing and against accidental loss, alteration or destruction of, or damage to, such Data;
(d) not transfer or direct the transfer of any Personal Data to any third party or unlawfully process or direct permit the unlawful processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇)Data;
(e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its not perform their obligations under this Delegation Agreement in such a way as to cause the other Party to breach any of their respective obligations under Data Protection Legislation;
(f) promptly notify the other Party of:
(i) any breach of the security requirements referred to in clause 8.1(c); and
(ii) any complaint, request, notice or communication in relation to the Data if such breach, complaint, request, notice or other communication is relevant to the other Party; and
(g) put in place within 21 days of the Effective Date and maintain reasonable organisational measures to notify UKRI promptly existing and new members of the RSB and bring to the attention of third parties that Personal Data held by the RSB in the performance of the Delegated Tasks may be provided to the FRC (or to another RSB as delegate of the FRC) for the necessary exercise of the FRC’s public functions in the public interest as Competent Authority for statutory audit (reasonable organisational measures may include but need not be limited to direct correspondence and clear and accessible website notices).
8.2 When handling the FRC data (whether or not Personal Data), the RSB will ensure the security of the data is maintained in line with the security requirements of the FRC, including as set out in clause 8.1(a) and as notified to the RSB from time to time.
8.3 Where either Party fails to comply with any of its obligations under this clause 8, the non-compliant Party will indemnify and keep indemnified and defend at least within 24 hours) if it receives a request from its own expense the other Party against all costs, claims, damages or expenses incurred by the compliant Party or for which the compliant Party may become liable due to any failure by the non-compliant Party, its employees or agents or any data processor, to comply with any of its obligations under this clause 8.
8.4 The FRC shall indemnify, and keep the RSB indemnified, against costs, claims, damages or expenses reasonably and properly incurred by the RSB arising out of, or in connection with, any claim made against the RSB by a Data Subject or investigation by the Information Commissioner arising out of, or in connection with, the RSB’s proper performance of its obligations under Appendix 7, paragraph 2, subject to the RSB having acted reasonably throughout the term of this Delegation Agreement to mitigate such prospective losses including but not limited to having complied with its obligations under clause 8.1 above.
8.5 The Parties shall not process the Data (nor permit the Data to be processed) in a complaint relating to a Data Subject and promptly provide UKRI with all territory outside the UK or (where applicable) the EU unless it has taken such data, information, cooperation and assistance measures as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably are necessary to enable UKRI to satisfy itself of ensure that the Supplier's transfer is in compliance with this Clause 15 and the Data Protection Legislation
(i) on termination or expiry of this Contract, and at any other time on UKRI's request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(j) notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection Legislation.
Appears in 4 contracts
Sources: Delegation Agreement, Delegation Agreement, Delegation Agreement
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 13, the terms, "processes", "data controller" and "data processor" term “processed” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller Data Controller and the Supplier Contractor is the data processor Data Processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause 13.6(c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 13.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 13 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause 13.6(c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (i) such consent to be at the sole discretion of the Trust); without prejudice to clause 13.6(c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 13; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause 13.6(c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need-to-know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Working Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 13 then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 13 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 2 contracts
Sources: Contract Award Letter, Contract Award Letter
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 13, the terms, "processes"terms “processed”, "data controller" ” and "“data processor" ” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller and the Supplier Contractor is the data processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause 13.6(c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 13.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 13 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause 13.6(c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (i) such consent to be at the sole discretion of the Trust); without prejudice to clause 13.6(c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 13; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause 13.6(c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need to know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Business Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 13 then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 13 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 2 contracts
Sources: Award Letter, Contract for Services
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 23, the terms, "processes", "data controller" and "data processor" term “processed” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller Data Controller and the Supplier Contractor is the data processor Data Processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause 23.6(c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 23.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 23 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause 23.6(c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (i) such consent to be at the sole discretion of the Trust); without prejudice to clause 23.6(c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 23; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause 23.6(c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need to know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Working Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 23 then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 23 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 2 contracts
Sources: Contract Award Letter, Contract for the Supply of Research Services
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 13, the terms, "processes", "data controller" and "data processor" term “processed” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller Data Controller and the Supplier Contractor is the data processor Data Processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause 13.6(c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 13.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 13 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause 13.6(c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (i) such consent to be at the sole discretion of the Trust); without prejudice to clause 13.6(c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 13; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause 13.6(c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need to know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Working Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 13 then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 13 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 1 contract
Sources: Contract Award
Protection of Personal Data and Security of Data. 15.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation.
15.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Supplier is the data processor of any Personal Data.
15.3 The Supplier shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 Without limiting Clauses 15.2 and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff):
(a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Term of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRIUKRI 's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇▇ );
(e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access;
(f) upon request by UKRIUKRI , promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRIUKRI , as is reasonably necessary to enable UKRI to satisfy itself of the Supplier's compliance with this Clause 15 and the Data Protection Legislation
(i) on termination or expiry of this Contract, and at any other time on UKRI's request, either return or destroy (as elected by UKRIUKRI ) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(j) notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection Legislation.
Appears in 1 contract
Sources: Award of Contract for the Delivery of Developing a Successful Stem Pay Case
Protection of Personal Data and Security of Data. 15.1 In this Clause 15clause 13, the terms, "processes", "data controller" and "data processor" term “processed” shall have the same meanings given to them under Data Protection Legislation.
15.2 . The Parties Trust and the Contractor acknowledge that for the purposes of Data Protection Legislation, UKRI the Trust is the data controller Data Controller and the Supplier Contractor is the data processor Data Processor of any Personal Data.
15.3 . The Supplier Contractor shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 processed relating to or originating from the Trust, its employees or supported organisations or clients. Neither party shall, and the Contractor shall procure that no sub-contractors shall, by act or omission put the other party in breach of the Data Protection Legislation. Without prejudice to clause (c), the Contractor shall, and shall procure that each of its sub-contractors shall, process Personal Data only: in such manner as is necessary for the Services; in accordance with documented instructions received from the Trust; and for the Term. Upon request by the Trust, the Contractor shall promptly provide to the Trust such copies of any Personal Data provided by or on behalf of the Trust to the Contractor under this Agreement and do such other acts in relation to the Personal Data or any part thereof as the Trust shall request which are required in order for the Trust to comply with any of its obligations under the Data Protection Legislation. Without limiting Clauses 15.2 and 15.3clause 13.3, the Supplier Contractor represents, warrants and undertakes to the Trust that the Contractor: shall not by any act or omission put the Trust in breach of the Data Protection Legislation; shall at all times (comply with, and shall ensure that at all times its staff):
(a) Staff and sub-contractors: are informed of the confidential nature of the Personal Data; have undertaken training in the laws relating to handling Personal Data; comply with, any guidelines, codes of practice, policies or other requirements notified to it by the Trust in connection with processing Personal Data; and are aware both of the Contractor’s duties and their personal duties and obligations under Data Protection Legislation; shall not allow any sub-contractors to have access to, receive or process Personal Data only in accordance with and the documented instructions received from UKRI and during the Term of this Contract. The Supplier Contractor shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party other person (including, without limitation, any data processor or process or direct other contractor) without the processing of Personal Data outside of the European Economic Area in each case without UKRI's Trust’s prior written consent (which such consent may to be subject to conditions as directed at the sole discretion of the Trust) and unless permitted under Data Protection Legislation and, where consent is given by ▇▇▇▇);
(e) the Trust, the Contractor shall only undertake such processing in accordance with the Trust’s instructions; shall keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do ; shall take all reasonable steps to ensure the reliability of any of its Staff who have access to Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Contractors obligations under this clause 13 in relation to respect of the Personal Data, or any part thereof, as UKRI ; shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI the Trust or an auditor mandated by UKRI, the Trust as is reasonably necessary to enable UKRI the Trust to satisfy itself of the SupplierContractor's compliance with this Clause 15 Agreement and the Data Protection Legislation
; shall not contact the Trust’s supported organisations or clients directly or collect Personal Data in relation to the Trust’s supported organisations or clients without the Trust’s prior written consent; without prejudice to clause (i) c), shall, and shall procure that its sub-contractors shall, not process or direct the processing of any Personal Data outside of the European Economic Area unless and until: the Contractor and each sub-contractor proposing to process Personal Data have entered into Model Clauses with the Trust; or in accordance with the prior written consent of the Trust (such consent to be at the sole discretion of the Trust); without prejudice to clause (c), where any sub-contractors process Personal Data the Contractor shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 13; and shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of the Trust, either return the Personal Data in the format requested by the Trust or destroy (as elected by UKRI) the Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation. Without prejudice to clause (c), the Contractor shall not and shall procure that each of its sub-contractors shall not without the prior written consent of the Trust: use or permit any third party to use any Personal Data otherwise than for the sole benefit of the Trust and in accordance with the terms of this Agreement; and
disclose any Personal Data except on a need to know basis to Staff directly concerned with the provision of the Services; or disclose any Personal data to any persons to whom the Contractor is able to disclose such Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Trust in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty. The Contractor shall notify the Trust promptly and in any event within five (j5) Working Days if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the Trust’s obligations and/or the rights of a Data Subject under the Data Protection Legislation; and any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, the Contractor shall promptly provide the Trust with its full cooperation and assistance as is reasonably required by the Trust in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation. The Contractor shall: notify UKRI without undue delay the Trust immediately on becoming aware of any Personal Data Breach Breach; and promptly following notification, provide such data, information and assistance as is reasonably required by UKRI the Trust in order for UKRI the Trust to notify the Personal Data Breach to the Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation. If any Personal Data is lost or corrupted as a result of any act or omission of the Contractor or any of its sub-contractors, the Contractor shall restore Personal Data at its own expense. If the Contractor fails to comply with the provisions of this clause 13 then it shall notify the Trust in writing of any failure to comply within 24 hours of the Contractor becoming aware of such failure to comply. Following notification, the Trust shall be entitled in its absolute discretion, to terminate this Agreement on written notice. The Trust may, in addition to or instead of terminating this Agreement, require the Contractor to undertake one or more of the following: immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach; provide such information as is reasonably required by the Trust in respect of the incident leading to such notification; and/or cease to process Personal Data, return all materials containing Personal Data and delete all copies. The Contractor shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless the Trust and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 13 by the Contractor, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 1 contract
Sources: Contract Award
Protection of Personal Data and Security of Data. 15.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation.
15.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller controller, and the Supplier is the data processor of any Personal Data.
15.3 The Supplier shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 Without limiting Clauses 15.2 and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff):
(a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Term of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to need-to-know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇);
(e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Supplier's compliance with this Clause 15 and the Data Protection Legislation
(i) on termination or expiry of this Contract, and at any other time on UKRI's request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(j) notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection Legislation.
Appears in 1 contract
Sources: Contract Award
Protection of Personal Data and Security of Data. 15.1 In this Clause 1513.1 Both parties shall, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation.
15.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Supplier is the data processor of any Personal Data.
15.3 The Supplier shall and shall procure that its staff and sub-contractors shall Staff shall, comply with all any notification requirements under the Data Protection Legislation Laws and both parties shall duly observe all of their obligations under the Data Protection Laws which arise in relation to any connection with this agreement.
13.2 Notwithstanding the general obligation in condition 13.1, where the Client is uploading Personal Data processed.
15.4 Without limiting Clauses 15.2 and 15.3within an AutoFlow System, the Supplier shall at all times (and shall ensure that at all times its staff):Client shall:
(a) guarantee that it has received all the necessary consents and rights by the Data Controller to process the Personal Data only in accordance with for the documented instructions received from UKRI and during the Term purpose of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable lawprogressing a claim;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇);
(e) keep all Personal Data confidential, and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all ensure the security of the Personal Data confidential and secure (and to protect guard against unauthorised or unlawful processingprocessing of the Personal Data and against accidental loss or destruction of, accidental lossor damage to, destructionthe Personal Data), damage, alteration, disclosure or accessas required under the Seventh Data Protection Principle in Schedule 1 of the Data Protection Laws;
(fc) upon request by UKRI, promptly do such provide AutoFlow with the right to access data and any other acts in relation to information stored and captured on the Personal Data, Clients IT systems or any part thereof, other storage repository as UKRI shall AutoFlow may reasonably request to enable UKRI to comply satisfy itself that the Client is complying with its obligations under the Data Protection LegislationLaws and, if necessary, carry out any actions to ensure compliance thereof;
(gd) notify UKRI promptly (and at least within 24 hours) if ensure that it receives a request from a Data Subject does not knowingly or a complaint relating negligently do or omit to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI do anything which places AutoFlow in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself breach of the Supplier's compliance with this Clause 15 and AutoFlow’s obligations under the Data Protection LegislationLaws; and
(e) promptly notify AutoFlow of:
(i) on termination any perceived or expiry actual breach of this Contractthe security requirements of any of AutoFlow’s Systems as referred to in condition 13.3;
(ii) any request for Personal Data;
13.3 When handling AutoFlow data (whether or not Personal Data), the Client shall ensure the security of the data is maintained in line with good industry practice and at any other the security requirements of AutoFlow as notified to the Client from time on UKRI's requestto time.
13.4 The Client shall indemnify and hold harmless AutoFlow from all claims and all direct, either return indirect or destroy (as elected by UKRI) the Personal Data consequential liabilities (including all copies loss of itprofits, loss of business, depletion of goodwill and similar losses), costs, proceedings, damages and expenses (including legal and other professional fees and expenses) and confirm awarded against, or incurred or paid as a result of or in writing that it has complied connection with this obligation; and
(j) notify UKRI without undue delay on becoming aware any alleged claim or actual infringement, whether or not under English Law, of any AutoFlow data (whether or not Personal Data Breach and promptly following notificationData) out of the use of the supply of the services contemplated by this agreement or by any negligent act by, provide such dataor failure or omission of, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection LegislationClient.
Appears in 1 contract
Protection of Personal Data and Security of Data. 15.1
14.1 In this Clause 15, the terms, "processes", "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation.
15.2 14.2 The Parties acknowledge that for the purposes of Data Protection Legislation, UKRI is the data controller and the Supplier is the data processor of any Personal Data.
15.3 14.3 The Supplier shall and shall procure that its staff and sub-contractors shall comply with all Data Protection Legislation in relation to any Personal Data processed.
15.4 14.4 Without limiting Clauses 15.2 and 15.3, the Supplier shall at all times (and shall ensure that at all times its staff):
(a) process Personal Data only in accordance with the documented instructions received from UKRI and during the Term of this Contract. The Supplier shall immediately inform UKRI if, in the Supplier's opinion, an instruction from UKRI infringes the Data Protection Legislation or any other applicable law;
(b) ensure that any person to whom it provides the Personal Data is subject to appropriate confidentiality obligations;
(c) disclose any Personal Data only on a need to know basis to staff directly concerned with the provision of the Goods and/or Services;
(d) not transfer or direct the transfer of any Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject besubject to conditions as directed by ▇▇▇▇);
(e) keep all Personal Data confidential, and have in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or access;
(f) upon request by UKRI, promptly do such other acts in relation to the Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(g) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) provide such information and allow for and contribute to audits, including inspections, conducted by UKRI or an auditor mandated by UKRI, as is reasonably necessary to enable UKRI to satisfy itself of the Supplier's compliance with this Clause 15 and the Data Protection Legislation
(i) on termination or expiry of this Contract, and at any other time on UKRI's request, either return or destroy (as elected by UKRI) the Personal Data (including all copies of it) and confirm in writing that it has complied with this obligation; and
(j) notify UKRI without undue delay on becoming aware of any Personal Data Breach and promptly following notification, provide such data, information and assistance as is required by UKRI in order for UKRI to notify the Personal Data Breach to the Information Commissioner and/or Data Subject(s) and otherwise fulfil its obligations under Data Protection Legislation.
Appears in 1 contract
Sources: Goods & Services Contract
Protection of Personal Data and Security of Data. 15.1 18.1 In this Clause 15clause 18, the terms, "processes"terms “processed”, "data controller" ” and "“data processor" ” shall have the same meanings given to them under Data Protection Legislation.
15.2 The Parties 18.2 ACE and the Supplier acknowledge that for the purposes of Data Protection Legislation, UKRI ACE is the data controller and the Supplier is the data processor of any ACE Personal Data.
15.3 18.3 The Supplier shall and shall procure that its staff Staff and sub-contractors shall comply with all Data Protection Legislation in relation to any ACE Personal Data processedprocessed relating to or originating from ACE, its employees or supported organisations or clients. Neither Party shall, and the Supplier shall procure that no Staff and no sub-contractors shall, by act or omission put the other Party in breach of the Data Protection Legislation.
15.4 18.4 Without limiting Clauses 15.2 prejudice to clause 18.7(c), the Supplier shall, and 15.3shall procure that each of its sub-contractors shall, process ACE Personal Data only:
(a) in such manner as is necessary for the Services;
(b) in accordance with documented instructions received from ACE; and
(c) for the Term.
18.5 The Supplier shall immediately notify ACE if the Supplier believes that any of ACE’s instructions infringes the Data Protection Legislation.
18.6 Upon request by ACE, the Supplier shall promptly provide to ACE such copies of any ACE Personal Data provided by or on behalf of ACE to the Supplier under this Agreement and do such other acts in relation to the ACE Personal Data or any part thereof as ACE shall request which are required in order for ACE to comply with any of its obligations under the Data Protection Legislation.
18.7 Without limiting clause 18.3, the Supplier represents, warrants and undertakes to ACE that the Supplier:
(a) shall not by any act or omission put ACE in breach of the Data Protection Legislation;
(b) shall at all times (comply with, and shall ensure that at all times its staff):Staff and sub- contractors:
(ai) process only gain access to the ACE Personal Data only in accordance with on a need-to-know basis and as necessary for the documented instructions received from UKRI and during provision of the Term Services;
(ii) are informed of this Contract. The Supplier shall immediately inform UKRI if, the confidential nature of the ACE Personal Data;
(iii) have undertaken training in the Supplier's opinion, an instruction from UKRI infringes laws relating to the Data Protection Legislation or any other applicable lawand handling ACE Personal Data;
(biv) ensure that comply with, any person guidelines, codes of practice, policies or other requirements notified to whom it provides by ACE in connection with processing ACE Personal Data; and
(v) are aware both of the Personal Data is subject to appropriate confidentiality obligations;Supplier’s duties and their personal duties and
(c) disclose shall not allow any sub-contractors to have access to, receive or process ACE Personal Data and the Supplier shall not transfer any ACE Personal Data to any other person (including, without limitation, any data processor or other contractor) without ACE’s prior written consent (such consent to be at the sole discretion of ACE) and, where consent is given by ACE, the Supplier shall only on a need to know basis to staff directly concerned undertake such processing in accordance with ACE’s instructions and Data Protection Legislation.; As between ACE and the provision Supplier, the Supplier shall be responsible for all acts and omissions of the Goods and/or Servicesany sub-contractors;
(d) not transfer or direct the transfer of any shall keep all ACE Personal Data to any third party or process or direct the processing of Personal Data outside of the European Economic Area in each case without UKRI's prior written consent (which consent may be subject to conditions as directed by ▇▇▇▇);
(e) keep all Personal Data confidential, confidential and have has in place now and shall on a continuing basis take all reasonable appropriate technical and organisational measures to keep all ACE Personal Data confidential and secure and to protect against unauthorised or unlawful processing, accidental loss, destruction, destruction damage, alteration, disclosure or access;
(fe) upon request by UKRI, promptly do shall take all reasonable steps to ensure the reliability of any of its Staff who have access to ACE Personal Data processed in connection with this Agreement and to ensure that such other acts Staff understand the Suppliers obligations under this clause 18 in relation to respect of the Personal Data and the confidential nature of ACE Personal Data, or any part thereof, as UKRI shall request to enable UKRI to comply with its obligations under the Data Protection Legislation;
(gf) notify UKRI promptly (and at least within 24 hours) if it receives a request from a Data Subject or a complaint relating to a Data Subject and promptly provide UKRI with all such data, information, cooperation and assistance as is required by UKRI in order to respond to and resolve the request or complaint within any applicable time frames;
(h) shall provide such information and and, on reasonable prior notice, allow for and contribute to audits, including inspections, conducted by UKRI ACE or an auditor mandated by UKRI, ACE as is reasonably necessary to enable UKRI ACE to satisfy itself of the Supplier's compliance with this Clause 15 Agreement and the Data Protection Legislation;
(g) shall not contact ACE’s supported organisations or clients directly or collect ACE Personal Data in relation to ACE’s supported organisations or clients without ACE’s prior written consent;
(h) without prejudice to clause 18.7(c), shall, and shall procure that its sub- contractors shall, not process or direct the processing of any Personal Data outside of the UK unless and until:
(i) [the ACE Personal Data is transferred to countries or territories deemed by the UK Information Commissioner or the Secretary of State to provide adequate level of protection on Personal Data as the UK GDPR;] [Drafting Note: The UK ICO has confirmed that after the Brexit transition period, data transfers to the EEA, countries deemed by the EU to be adequate, and Gibraltar, can continue without restrictions. However please note that the UK can in theory withdraw such recognition at any time. This sub-clause permits the supplier to transfer ACE Personal Data to these territories without the need for seeking ▇▇▇’s consent. If ACE prefers to retain control over any international data transfers, please delete this sub-clause (i).]
(ii) the Supplier and each sub-contractor proposing to process ACE Personal Data have entered into Model Clauses with ACE; or
(iii) in accordance with the prior written consent of ACE (such consent to be at the sole discretion of ACE);
(i) without prejudice to clause 18.7(c), where any sub-contractors process ACE Personal Data the Supplier shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this clause 18; and
(j) shall on termination or expiry of this ContractAgreement, and at any other time on UKRI's requestthe request of ACE, either return the ACE Personal Data in the format requested by ACE or destroy (as elected by UKRI) the ACE Personal Data (including all copies of it) ), in either case immediately and confirm in writing that it has complied with this obligation; and.
18.8 Without prejudice to clause 18.7(c), the Supplier shall not and shall procure that each of its sub-contractors shall not without the prior written consent of ACE:
(ja) use or permit any third party to use any ACE Personal Data otherwise than for the sole benefit of ACE and in accordance with the terms of this Agreement;
(b) disclose any ACE Personal Data except on a need to know basis to Staff directly concerned with the provision of the Services; or
(c) disclose any ACE Personal Data to any persons to whom the Supplier is able to disclose such ACE Personal Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to ACE in respect of such information and to use all reasonable endeavours to ensure that such persons comply with such duty.
18.9 The Supplier shall notify ACE promptly and in any event within 2 (two) Working Days if it receives:
(a) a request from a Data Subject of ACE Personal Date to have access to that person’s Personal Data; or
(b) a complaint or request relating to ACE’s obligations and/or the rights of a Data Subject of ACE Personal Data under the Data Protection Legislation; or
(c) any other communication relating directly or indirectly to the processing of any ACE Personal Data in connection with this Agreement; and in each case, the Supplier shall promptly provide ACE with its full cooperation and assistance as is reasonably required by ACE in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation.
18.10 The Supplier shall:
(a) notify UKRI ACE without undue delay on becoming aware of any Personal Data Breach and relating to the ACE Personal Data; and
(b) promptly following notification, provide such data, information and assistance as is reasonably required by UKRI ACE in order for UKRI ACE to notify the Personal Data Breach to the UK Information Commissioner and/or any Data Subject(s) and otherwise fulfil its obligations under Subjects, in accordance with Data Protection Legislation.
18.11 If any ACE Personal Data is lost or corrupted as a result of any act or omission of the Supplier or any of its sub-contractors, the Supplier shall restore ACE Personal Data at its own expense.
18.12 If the Supplier fails to comply with the provisions of this clause 18 then it shall notify ACE in writing of any failure to comply within 24 (twenty-four) hours of the Supplier becoming aware of such failure to comply. Following notification, ACE shall be entitled in its absolute discretion, to terminate this Agreement on written notice. ACE may, in addition to or instead of terminating this Agreement, require the Supplier to undertake one or more of the following:
(a) immediately take such remedial action as is required to ensure compliance with this Agreement and/or the Data Protection Legislation and prevent and/or remedy any breach;
(b) provide such information as is reasonably required by ACE in respect of the incident leading to such notification; and/or
(c) cease to process ACE Personal Data, return all materials containing ACE Personal Data and delete all copies.
18.13 The Supplier shall on demand fully and effectively indemnify, keep indemnified, defend and hold harmless ACE and its respective directors, officers, agents, employees, successors and assigns from any and all losses, including all claims, expenses, damages, proceedings, costs, and other liabilities resulting from or in connection with any failure to comply with the provisions of this clause 18 by the Supplier, its Staff, sub-contractors, third party agents, contractors and associated persons.
Appears in 1 contract
Sources: Supply Agreement