Protection of Personal Data and Security of Data. 13.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing that the Contractor is authorised to do is listed in Schedule 1 by the Customer and may not be determined by the Contractor. 13.2. The Contractor shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation. 13.3. The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include: a. a systematic description of the envisaged processing operations and the purpose of the processing; b. an assessment of the necessity and proportionality of the processing operations in relation to the Services; c. an assessment of the risks to the rights and freedoms of Data Subjects; and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 13.4. The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: a. process that Personal Data only in accordance with Schedule 1 unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law; b. ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), having taken account of the: i. nature of the data to be protected; ii. harm that might result from a Data Loss Event; iii. state of technological development; and iv. cost of implementing any measures; c. ensure that : i. the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1); ii. it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they: 1. are aware of and comply with the Contractor’s duties under this clause; 2. are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; 3. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and 4. have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the European Union unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: i. the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and iv. the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. 13.5. Subject to clause 13.6 the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it: a. receives a Data Subject Request (or purported Data Subject Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority; e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available. 13.7. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: a. the Customer with full details and copies of the complaint, communication or request; b. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; c. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; d. assistance as requested by the Customer following any Data Loss Event; e. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 13.8. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: a. the Customer determines that the processing is not occasional; b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 13.9. The Contractor shall allow for audits of its Personal Data processing activity by the Customer or the Customer’s designated auditor. 13.10. Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation. 13.11. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must: a. notify the Customer in writing of the intended Sub-processor and processing;
Appears in 4 contracts
Sources: Contract for Services, Contract for Services, Food Security Contract
Protection of Personal Data and Security of Data. 13.1. 27.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1Processor. The only processing that the Contractor is authorised to do is listed in Schedule 1 3 by the Customer School and may not be determined by the Contractor.
13.2. 27.2 The Contractor shall notify the Customer School immediately if it considers that any of the Customer’s School's instructions infringe the Data Protection Legislation.
13.3. 27.3 The Contractor shall provide all reasonable assistance to the Customer School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the CustomerSchool, include:
a. a) a systematic description of the envisaged processing operations and the purpose of the processing;
b. b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. c) an assessment of the risks to the rights and freedoms of Data Subjects; and
d. d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 27.4 The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. a) process that Personal Data only in accordance with Schedule 1 3, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer School before processing the Personal Data unless prohibited by Law;
b. b) ensure that it has in place Protective Measures Measures, which are have been reviewed and approved by the School as appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), Event having taken account of the:
i. i) nature of the data to be protected;
ii. ) harm that might result from a Data Loss Event;
iii. ) state of technological development; and
iv. ) cost of implementing any measures;
c. c) ensure that :
i. i) the Contractors’ Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 13);
ii. ) it takes all reasonable steps to ensure the reliability and integrity of any of the Contractors’ Staff who have access to the Personal Data and ensure that they:
1. A. are aware of and comply with the Contractor’s duties under this clause;
2. B. are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Sub- processor;
3. C. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Customer School or as otherwise permitted by this Agreement; and
4. D. have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. d) not transfer Personal Data outside of the European Union EU unless the prior written consent of the Customer School has been obtained and the following conditions are fulfilled:
i. i) the Customer School or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the CustomerSchool;
ii. ) the Data Subject has enforceable rights and effective legal remedies;
iii. ) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer School in meeting its obligations); and
iv. the ) Contractor complies with any reasonable instructions notified to it in advance by the Customer School with respect to the processing of the Personal Data;
e. e) at the written direction of the CustomerSchool, delete or return Personal Data (and any copies of it) to the Customer School on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
13.5. 27.5 Subject to clause 13.6 27.6 , the Contractor shall notify the Customer School immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, if it:
a. i) receives a Data Subject Access Request (or purported Data Subject Access Request);
b. ii) receives a request to rectify, block or erase any Personal Data;
c. iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. iv) receives any communication from the Information Commissioner or any other regulatory authorityauthority in connection with Personal Data processed under this Agreement;
e. v) receives a request from any third party Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. vi) becomes aware of a Data Loss Event.
13.6. 27.6 The Contractor’s obligation to notify under clause 13.5 27.5 shall include the provision of further information to the Customer School in phases, as details become available.
13.7. 27.7 Taking into account the nature of the processing, the Contractor shall provide the Customer School with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 clause 27.5 (and insofar as possible within the timescales reasonably required by the CustomerSchool) including by promptly providing:
a. i) the Customer School with full details and copies of the complaint, communication or request;
b. ii) such assistance as is reasonably requested by the Customer School to enable the Customer School to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c. iii) the CustomerSchool, at its request, with any Personal Data it holds in relation to a Data Subject;
d. iv) assistance as requested by the Customer School following any Data Loss Event;
e. v) assistance as requested by the Customer School with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer School with the Information Commissioner's Office.
13.8. 27.8 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13clause. This requirement does not apply where the Contractor employs fewer than 250 staffStaff, unless:
a. a) the Customer School determines that the processing is not occasional;
b. b) the Customer School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; orand
c. c) the Customer School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. 27.9 The Contractor shall allow for audits of its Personal Data processing Processing activity by the Customer School or the CustomerSchool’s designated auditor.
13.10. Each Party 27.10 The Contractor shall designate its own Data Protection Officer a data protection officer if required by the Data Protection Legislation.
13.11. 27.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:
a. a) notify the Customer School in writing of the intended Sub-processor and processing;
Appears in 2 contracts
Sources: Catering Services Agreement, Catering Services Agreement
Protection of Personal Data and Security of Data.
13.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing that the Contractor is authorised to do is listed in Schedule 1 by the Customer and may not be determined by the Contractor.
13.2. The Contractor shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.
13.3. The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
a. a systematic description of the envisaged processing operations and the purpose of the processing;
b. an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. an assessment of the risks to the rights and freedoms of Data Subjects; and
d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. process that Personal Data only in accordance with Schedule 1 unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;
b. ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), having taken account of the:
i. nature of the data to be protected;
ii. harm that might result from a Data Loss Event;
iii. state of technological development; and
iv. cost of implementing any measures;
c. ensure that :
i. the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1);
ii. it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they:
1. are aware of and comply with the Contractor’s duties under this clause;
2. are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and
4. have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. not transfer Personal Data outside of the European Union unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. the Data Subject has enforceable rights and effective legal remedies;
iii. the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
iv. the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
13.5. Subject to clause 13.6 the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it:
a. receives a Data Subject Request (or purported Data Subject Request);
b. receives a request to rectify, block or erase any Personal Data;
c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. receives any communication from the Information Commissioner or any other regulatory authority;
e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. becomes aware of a Data Loss Event.
13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available.
13.7. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
a. the Customer with full details and copies of the complaint, communication or request;
b. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
c. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
d. assistance as requested by the Customer following any Data Loss Event;
e. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office.
13.8. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. the Customer determines that the processing is not occasional;
b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. The Contractor shall allow for audits of its Personal Data processing activity by the Customer or the Customer’s designated auditor.
13.10. Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation.
13.11. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:
a. notify the Customer in writing of the intended Sub-processor and processing;
b. obtain the written consent of the Customer; and
c. enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 13 such that they apply to the Sub-processor; and.
d. provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.
13.12. The Contractor shall remain fully liable for all acts or omissions of any of its Sub- processors.
13.13. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
13.14. The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer.
13.15. When handling Customer data (whether or not Personal Data), the Contractor shall ensure the security of the data is maintained in line with the security requirements of the Customer as notified to the Contractor from time to time.
13.16. This clause 13 shall apply during the Term and indefinitely after its expiry.
13.17. [Where the Parties include two or more Joint Controllers as identified in Schedule 1, in accordance with GDPR Article 26 those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule [X] in replacement of Clauses 13.1 to 13.14 for the Personal Data in respect of which they are Joint Controllers.]
Appears in 2 contracts
Sources: Contract for Services, Contract for Services
Protection of Personal Data and Security of Data. 13.1. The
13.1 With respect to the Parties' rights and obligations under this Agreement, the Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the a Data Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing that the Contractor Supplier is authorised to do is listed in Schedule 1 by a Data Processor OR, where relevant, that the Customer and may not be determined by the ContractorSupplier are joint Data Controllers.
13.2. 13.2 The Contractor Supplier shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.
13.3. 13.3 The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, includeSupplier shall:
a. a systematic description of 13.3.1 Process the envisaged processing operations and the purpose of the processing;
b. an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. an assessment of the risks to the rights and freedoms of Data Subjects; and
d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. process that Personal Data only in accordance with Schedule 1 unless the Contractor written instructions of the Customer and only to the extent that is necessary for the provision of the Services under this Agreement or as is required by law or any regulatory body;
13.3.2 not engage a sub-processor to do otherwise undertake any Processing of any Personal Data without the prior written authorisation of the Customer. Where such authorisation is granted by Law. If it is so required the Contractor shall promptly notify the Customer before processing (at its sole discretion), the Supplier shall ensure that it enters into a contract with that sub-processor on the same or equivalent terms as are set out in this clause;
13.3.3 ensure that persons authorised to Process the Personal Data unless prohibited by Law;
b. ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), having taken account of the:
i. nature of the data to be protected;
ii. harm that might result from a Data Loss Event;
iii. state of technological development; and
iv. cost of implementing any measures;
c. ensure that :
i. the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1);
ii. it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they:
1. are aware of and comply with the ContractorSupplier’s duties under this clause;
2. are subject 13.3.4 ensure that persons authorised to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. are informed of the confidential nature of Process the Personal Data and do not have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
13.3.5 ensure that none of the Supplier’s employees publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; andCustomer;
4. 13.3.6 ensure that persons authorised to Process the Personal Data have undergone adequate training been trained in the use, care, protection and handling of Personal Data; and;
d. 13.3.7 not transfer any Personal Data to any country or territory outside of the European Union unless Economic Area without the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. the Data Subject has enforceable rights and effective legal remedies;
iii. the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
iv. the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e. 13.3.8 at the written direction of the Customer, delete or return all the Personal Data (and any copies of it) to the Customer on termination after the end of the Agreement provision of Services, and delete existing copies, unless the Contractor is required by Law Supplier has a statutory duty to retain that Personal Data. If the Supplier believes that it does have such a statutory duty, this should be notified to the Customer in writing at least three (3) months prior to the expiry or termination (whichever is earlier) of this Agreement;
13.3.9 assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to Subject Access Requests, as well as providing all assistance and cooperation as the Customer may require to investigate or deal with any such Subject Access Requests;
13.3.10 ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data.
13.5. Subject Data and/or accidental loss, destruction or damage to clause 13.6 the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it:
a. receives a Data Subject Request (or purported Data Subject Request);
b. receives a request to rectify, block or erase any Personal Data;
c. receives any other request13.3.11 insofar as this is possible given the nature of Processing and the information available to the Supplier, complaint or communication relating assist the Customer in ensuring compliance with its obligations pursuant to either Party's obligations under the Data Protection Legislation;
d. receives 13.3.12 notify the Customer of any actual or potential Personal Data Breach within 24 hours of its occurrence (or, in the case of a potential breach, the Supplier becoming aware of such breach), along with all supporting facts and information sufficient to allow the Customer to make any required report(s) to any relevant Data Subjects, the Information Commissioner or other regulatory or governmental body or bodies to which it is subject;
13.3.13 notify the Customer immediately if it receives:
a) a request from a Data Subject to have access to that person’s Personal Data;
b) a request to rectify, erase or cease processing Personal Data;
c) any communication from the Information Commissioner or any other regulatory authority;
e. receives d) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Lawlaw; or
f. becomes aware of e) a Data Loss Event.
13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information complaint or request relating to the Customer in phases, as details become available.Customer’s obligations under the Data Protection Legislation;
13.7. Taking into account the nature of the processing, the Contractor shall 13.3.14 provide the Customer with full cooperation and assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication complaint or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) made, including by promptly providingby:
a. a) providing the Customer with full details and copies of the complaint, communication complaint or request;request;
b. such assistance as is reasonably requested by the Customer to enable the Customer to comply b) complying with a Data Subject Access Request within the relevant timescales set out in the Data Protection LegislationLegislation and in accordance with the Customer’s instructions;
c. c) providing the Customer, at its request, Customer with any Personal Data it holds in relation to a Data Subject;
d. assistance as Subject (within the timescales required by the Customer); and d) providing the Customer with information requested by the Customer following any Data Loss EventCustomer;
e. assistance as requested by 13.3.15 make available to the Customer with respect Customer, at reasonable intervals and within twenty one (21) days following a request for such, all information necessary to any request from the Information Commissioner’s Office, or any consultation by the Customer demonstrate compliance with the Information Commissioner's Office.
13.8. The Contractor shall maintain complete obligations laid down in the Data Protection Legislation and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. the Customer determines that the processing is not occasional;
b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. The Contractor shall allow for audits of its Personal Data processing activity and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer’s designated auditor.
13.10. Each Party 13.4 The Supplier shall designate its own comply at all times with the Data Protection Officer if required by Legislation and shall not perform its obligations under this Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation.
13.11. Before allowing 13.5 The Supplier shall indemnify and keep indemnified the Customer against all demands, actions, proceedings, claims, damages, liabilities, costs and expenses (including reasonable legal costs) incurred by it in respect of any breach of this clause by the Supplierand/or any act or omission of any Sub-processor to process any Personal Data related to Contractor appointed by the Supplier.
13.6 The provisions of this Agreement, clause shall apply during the Contractor must:
a. notify the Customer in writing continuance of the intended Sub-processor Agreement and processing;indefinitely after its termination.
13.7 In the event of conflict between any provision in the Agreement and this clause the provisions of this clause shall take precedence.
Appears in 1 contract
Protection of Personal Data and Security of Data. 13.1. The Parties acknowledge that for 15.1 In this Clause 15, the purposes of terms "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation, .
15.2 The Supplier acknowledges the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing Processing (if any) that the Contractor it is authorised to do is listed in Schedule 1 4 (Processing Personal Data) by the Customer and may not be determined by the ContractorUKRI.
13.2. 15.3 The Contractor Supplier shall notify the Customer UKRI immediately if it considers that any of the CustomerUKRI’s instructions infringe the Data Protection Legislation.
13.3. 15.4 The Contractor Supplier shall provide all reasonable assistance to the Customer UKRI in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the CustomerUKRI, include:
a. 15.4.1 a systematic description of the envisaged processing operations Processing and the purpose of the processingProcessing;
b. 15.4.2 an assessment of the necessity and proportionality of the processing operations Processing in relation to the Goods and/or Services;
c. 15.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
d. 15.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 15.5 The Contractor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this AgreementContract:
a. process 15.5.1 Process that Personal Data only in accordance with Schedule 1 4 (Processing Personal Data), unless the Contractor Supplier is required to do otherwise by Law. If it is so required the Contractor Supplier shall promptly notify the Customer UKRI before processing Processing the Personal Data unless prohibited by Law;
b. 15.5.2 ensure that it has in place Protective Measures Measures, (if the Supplier is holding UKRI Data, including back-up data, that it is held by a secure system that complies with the Security Policy and any applicable Security Management Plan) which are appropriate to protect against a Data Loss Event, which the Customer UKRI may reasonably reject (but failure to reject shall not amount to approval by the Customer UKRI of the adequacy of the Protective Measures), ) having taken account of the:
i. a) nature of the data to be protected;
ii. b) harm that might result from a Personal Data Loss EventBreach;
iii. c) state of technological development; and
iv. d) cost of implementing any measures;
c. 15.5.3 ensure that that:
i. a) the Supplier Staff do not process Process Personal Data except in accordance with this Agreement the Contract (and in particular Schedule 14 (Processing Personal Data));
ii. b) it takes uses all reasonable steps endeavours to ensure the reliability and integrity of any Supplier Staff who have access to the Personal Data and ensure that they:
1. (i) are aware of and comply with the ContractorSupplier’s duties under this clauseClauses 15 and 13;
2. (ii) are subject to appropriate confidentiality undertakings with the Contractor Supplier or any Subsub-processor;
3. (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer UKRI or as otherwise permitted by this AgreementContract; and
4. (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and;
d. 15.5.4 not transfer Personal Data outside of the European Union UK unless the prior written consent of the Customer UKRI has been obtained and the following conditions are fulfilled:
i. a) the Customer transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
b) UKRI or the Contractor Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with the UK GDPR Article 46 or LED Article 37section 75 of the DPA 2018) as determined by UKRI which could include relevant parties entering into the CustomerInternational Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures determined by UKRI;
ii. c) the Data Subject (as defined by the Data Protection Act 2018) has enforceable rights and effective legal remedies;
d) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist UKRI in meeting its obligations); and
e) the Supplier complies with any reasonable instructions notified to it in advance by UKRI with respect to the Processing of the Personal Data;
15.5.5 where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party;
c) the Data Subject has enforceable rights and effective legal remedies;
iii. d) the Contractor transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer non-transferring Party in meeting its obligations); and
iv. e) the Contractor transferring Party complies with any reasonable instructions notified to it in advance by the Customer non-transferring Party with respect to the processing of the Personal Data;; and
e. 15.5.6 at the written direction of the CustomerUKRI, delete or return Personal Data (and any copies of it) to the Customer UKRI on termination of the Agreement this Contract unless the Contractor Supplier is required by Law to retain the Personal Data.
13.5. 15.6 Subject to clause 13.6 Clause 15.7, the Contractor Supplier shall notify the Customer UKRI immediately if, if in relation to any it Processing Personal Data processed under or in connection with its obligations under this Agreement, Contract it:
a. 15.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request);
b. 15.6.2 receives a request to rectify, block or erase any Personal Data;
c. 15.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. 15.6.4 receives any communication from the Information Commissioner or any other regulatory authorityauthority in connection with Personal Data Processed under the Contract;
e. 15.6.5 receives a request from any third party Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. 15.6.6 becomes aware of a Personal Data Loss EventBreach.
13.6. 15.7 The ContractorSupplier’s obligation to notify under clause 13.5 Clause 15.6 shall include the provision of further information to the Customer in phasesUKRI, as details become available.
13.7. 15.8 Taking into account the nature of the processingProcessing, the Contractor Supplier shall provide the Customer UKRI with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 15.6 (and insofar as possible within the timescales reasonably required by the CustomerUKRI) including by promptly immediately providing:
a. the Customer 15.8.1 UKRI with full details and copies of the complaint, communication or request;
b. 15.8.2 such assistance as is reasonably requested by the Customer UKRI to enable the Customer it to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c. the Customer15.8.3 UKRI, at its request, with any Personal Data it holds in relation to a Data Subject;
d. 15.8.4 assistance as requested by the Customer UKRI following any Personal Data Loss Event;Breach; and/or
e. 15.8.5 assistance as requested by the Customer UKRI with respect to any request from the Information Commissioner’s OfficeOffice or any other regulatory authority, or any consultation by the Customer UKRI with the Information Commissioner's OfficeOffice or any other regulatory authority.
13.8. 15.9 The Contractor Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13Clause 15. This requirement does not apply where the Contractor Supplier employs fewer than 250 staff, unless:
a. the Customer 15.9.1 UKRI determines that the processing Processing is not occasional;
b. the Customer 15.9.2 UKRI determines the processing Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
c. the Customer 15.9.3 UKRI determines that the processing Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. 15.10 The Contractor Supplier shall allow for audits of its Personal Data processing Processing activity by the Customer UKRI or the CustomerUKRI’s designated auditor.
13.10. Each Party 15.11 The Parties shall designate its own a Data Protection Officer if required by the Data Protection Legislation.
13.11. 15.12 Before allowing any Subsub-processor to process any Personal Data related to this Agreementthe Contract, the Contractor Supplier must:
a. 15.12.1 notify the Customer UKRI in writing of the intended Subsub-processor and processing;
15.12.2 obtain the written consent of UKRI;
15.12.3 enter into a written agreement with the sub-processor which give effect to the terms set out in this Clause 15 such that they apply to the sub-processor; and
15.12.4 provide UKRI with such information regarding the sub-processor as UKRI may reasonably require.
15.13 To the extent that UKRI provides its consent pursuant to clause 15.12, the Supplier shall flow down the contractual obligations contained in this clause 15 to sub-processors. For the avoidance of doubt, the Supplier shall remain fully liable for all acts or omissions of any of its sub-processor.
15.14 UKRI may, at any time on not less than 30 Working Days’ notice, revise this Clause 15 by replacing it with any applicable controller to Supplier standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
15.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. UKRI may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Supply Agreement
Protection of Personal Data and Security of Data. 13.1. 13.1 The Supplier shall, and shall procure that all Staff shall, comply with any notification requirements under DPA and both Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement.
13.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor Supplier is the Processor unless otherwise specified in Schedule 1Processor. The only processing that the Contractor Supplier is authorised to do is listed in Schedule 1 by the Customer and is for the purposes of ensuring Delivery. Changes to processing may not be determined by the ContractorSupplier.
13.2. 13.3 The Contractor Supplier shall notify the Customer immediately if it considers that any of the Customer’s 's instructions infringe the Data Protection LegislationDPA.
13.3. 13.4 The Contractor Supplier shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
a. (a) a systematic description of the envisaged processing operations and the purpose of the processing;
b. (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. (c) an assessment of the risks to the rights and freedoms of Data Subjects; and
d. (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 13.5 The Contractor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. (a) process that Personal Data only in accordance with Schedule 1 ensuring Delivery unless the Contractor Supplier is required to do otherwise by Law. If it is so required the Contractor Supplier shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;
b. (b) ensure that it has in place Protective Measures Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), Event having taken account of the:
i. (i) nature of the data to be protected;
(ii. ) harm that might result from a Data Loss Event;
(iii. ) state of technological development; and
(iv. ) cost of implementing any measures;
c. (c) ensure that :
i. (i) the Staff Supplier Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1particularly for the purposes of Delivery);
(ii. ) it takes all reasonable steps to ensure the reliability and integrity of any Staff Supplier Personnel who have access to the Personal Data and ensure that they:
1. are aware of and comply with the Contractor’s duties under this clause;
2. are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and
4. have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. not transfer Personal Data outside of the European Union unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. the Data Subject has enforceable rights and effective legal remedies;
iii. the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
iv. the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
13.5. Subject to clause 13.6 the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it:
a. receives a Data Subject Request (or purported Data Subject Request);
b. receives a request to rectify, block or erase any Personal Data;
c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. receives any communication from the Information Commissioner or any other regulatory authority;
e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. becomes aware of a Data Loss Event.
13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available.
13.7. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
a. the Customer with full details and copies of the complaint, communication or request;
b. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
c. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
d. assistance as requested by the Customer following any Data Loss Event;
e. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office.
13.8. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. the Customer determines that the processing is not occasional;
b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. The Contractor shall allow for audits of its Personal Data processing activity by the Customer or the Customer’s designated auditor.
13.10. Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation.
13.11. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:
a. notify the Customer in writing of the intended Sub-processor and processing;
Appears in 1 contract
Sources: DPS Agreement
Protection of Personal Data and Security of Data. 13.1. 23.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Contractor Supplier is the Processor unless otherwise specified in Schedule 1Processor. The only processing that the Contractor Supplier is authorised to do is listed in Schedule 1 3 by the Customer Council and may not be determined by the ContractorSupplier.
13.2. 23.2 The Contractor Supplier shall notify the Customer Council immediately if it considers that any of the Customer’s Council's instructions infringe the Data Protection Legislation.
13.3. 23.3 The Contractor Supplier shall provide all reasonable assistance to the Customer Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the CustomerCouncil, include:
a. a a) A systematic description of the envisaged processing operations and the purpose of the processing;
b. b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. c) an assessment of the risks to the rights and freedoms of Data Subjects; and
d. d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 23.4 The Contractor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. a) process that Personal Data only in accordance with Schedule 1 3, unless the Contractor Supplier is required to do otherwise by Law. If it is so required the Contractor Supplier shall promptly notify the Customer Council before processing the Personal Data unless prohibited by Law;
b. b) ensure that it has in place Protective Measures Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), Event having taken account of the:
i. i) nature of the data to be protected;
ii. ) harm that might result from a Data Loss Event;
iii. ) state of technological development; and
iv. ) cost of implementing any measures;
c. c) ensure that that:
i. the i) Suppliers’ Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 13);
ii. ) it takes all reasonable steps to ensure the reliability and integrity of any of the Suppliers’ Staff who have access to the Personal Data and ensure that they:
1. A. are aware of and comply with the ContractorSupplier’s duties under this clause;
2. B. are subject to appropriate confidentiality undertakings with the Contractor Supplier or any Sub-processor;
3. C. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Customer Council or as otherwise permitted by this Agreement; and
4. D. have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. d) not transfer Personal Data outside of the European Union EU unless the prior written consent of the Customer Council has been obtained and the following conditions are fulfilled:
i. i) the Customer Council or the Contractor Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the CustomerCouncil;
ii. ) the Data Subject has enforceable rights and effective legal remedies;
iii. ) the Contractor Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer Council in meeting its obligations); and
iv. the Contractor ) Supplier complies with any reasonable instructions notified to it in advance by the Customer Council with respect to the processing of the Personal Data;
e. e) at the written direction of the CustomerCouncil, delete or return Personal Data (and any copies of it) to the Customer Council on termination of the Agreement unless the Contractor Supplier is required by Law to retain the Personal Data.
13.5. 23.5 Subject to clause 13.6 23.6 , the Contractor Supplier shall notify the Customer Council immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, if it:
a. i) receives a Data Subject Access Request (or purported Data Subject Access Request);
b. ii) receives a request to rectify, block or erase any Personal Data;
c. iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. iv) receives any communication from the Information Commissioner or any other regulatory authorityauthority in connection with Personal Data processed under this Agreement;
e. v) receives a request from any third party Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. vi) becomes aware of a Data Loss Event.
13.6. 23.6 The ContractorSupplier’s obligation to notify under clause 13.5 23.5 shall include the provision of further information to the Customer Council in phases, as details become available.
13.7. 23.7 Taking into account the nature of the processing, the Contractor Service Provide shall provide the Customer Council with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 clause 23.5 (and insofar as possible within the timescales reasonably required by the CustomerCouncil) including by promptly providing:
a. i) the Customer Council with full details and copies of the complaint, communication or request;
b. ii) such assistance as is reasonably requested by the Customer Council to enable the Customer Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c. iii) the CustomerCouncil, at its request, with any Personal Data it holds in relation to a Data Subject;
d. iv) assistance as requested by the Customer Council following any Data Loss Event;
e. v) assistance as requested by the Customer Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer Council with the Information Commissioner's Office.
13.8. 23.8 The Contractor Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13clause. This requirement does not apply where the Contractor Supplier employs fewer than 250 staffStaff, unless:
a. a) the Customer Council determines that the processing is not occasional;
b. b) the Customer Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; orand
c. c) the Customer Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. 23.9 The Contractor Supplier shall allow for audits of its Personal Data processing Processing activity by the Customer Council or the CustomerCouncil’s designated auditor.
13.10. Each Party 23.10 The Supplier shall designate its own Data Protection Officer a data protection officer if required by the Data Protection Legislation.
13.11. 23.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor Supplier must:
a. a) notify the Customer Council in writing of the intended Sub-processor and processing;
b) obtain the written consent of the Council;
c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 23 such that they apply to the Sub- processor; and
d) provide the Council with such information regarding the Sub-processor as the Council may reasonably require.
23.12 The Supplier shall remain fully liable for all acts or omissions of any Sub- processor.
23.13 Without prejudice to the generality of clause 23 the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement indemnify the Council against any loss or damage suffered by the Council of its obligations under this clause 23.
23.14 The Council may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
23.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Supplier amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
23.16 The provisions of this clause 23 shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.
23.17 The provisions of this Clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.
Appears in 1 contract
Sources: Transport Services Agreement
Protection of Personal Data and Security of Data. 13.1.
13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1Processor. The only processing that the Contractor is authorised to do is listed in Schedule 1 A of this document by the Customer and may not be determined by the Contractor.
13.2. 13.2 The Contractor shall notify the Customer immediately if it considers that any of the Customer’s 's instructions infringe the Data Protection Legislation.
13.3. 13.3 The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
a. (a) a systematic description of the envisaged processing operations and the purpose of the processing;
b. (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. (c) an assessment of the risks to the rights and freedoms of Data Subjects; and
d. (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 13.4 The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. (a) process that Personal Data only in accordance with Schedule 1 A of this document, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;
b. (b) ensure that it has in place Protective Measures Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), Event having taken account of the:
i. (i) nature of the data to be protected;
(ii. ) harm that might result from a Data Loss Event;
(iii. ) state of technological development; and
(iv. ) cost of implementing any measures;
c. (c) ensure that :
i. (i) the Staff Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1A);
(ii. ) it takes all reasonable steps to ensure the reliability and integrity of any Staff Contractor Personnel who have access to the Personal Data and ensure that they:
1. (A) are aware of and comply with the Contractor’s duties under this clause;
2. (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and
4. (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. (d) not transfer Personal Data outside of the European Union EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. (i) the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
(ii. ) the Data Subject has enforceable rights and effective legal remedies;
(iii. ) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
(iv. ) the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e. (e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
13.5. 13.5 Subject to clause 13.6 13.6, the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, if it:
a. (a) receives a Data Subject Access Request (or purported Data Subject Access Request);
b. (b) receives a request to rectify, block or erase any Personal Data;
c. (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. (d) receives any communication from the Information Commissioner or any other regulatory authorityauthority in connection with Personal Data processed under this Agreement;
e. (e) receives a request from any third party Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. (f) becomes aware of a Data Loss Event.
13.6. 13.6 The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available.
13.7. 13.7 Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
a. (a) the Customer with full details and copies of the complaint, communication or request;
b. (b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c. (c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
d. (d) assistance as requested by the Customer following any Data Loss Event;
e. (e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office.
13.8. 13.8 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. (a) the Customer determines that the processing is not occasional;
b. (b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; orand
c. (c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. 13.9 The Contractor shall allow for audits of its Personal Data processing Processing activity by the Customer or the Customer’s designated auditor.
13.10. Each Party 13.10 The Contractor shall designate its own Data Protection Officer a data protection officer if required by the Data Protection LegislationLegislation .
13.11. 13.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:
a. (a) notify the Customer in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Customer;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 13 such that they apply to the Sub-processor; and
(d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.
13.12 The Contractor shall remain fully liable for all acts or omissions of any Sub-processor.
13.13 The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
13.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office..
Appears in 1 contract
Protection of Personal Data and Security of Data. 13.1. The
13.1 With respect to the Parties' rights and obligations under this Agreement, the Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the a Data Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing that the Contractor Supplier is authorised to do is listed in Schedule 1 by a Data Processor OR, where relevant, that the Customer and may not be determined by the ContractorSupplier are joint Data Controllers.
13.2. 13.2 The Contractor Supplier shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.
13.3. 13.3 The Contractor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, includeSupplier shall:
a. a systematic description of 13.3.1 Process the envisaged processing operations and the purpose of the processing;
b. an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. an assessment of the risks to the rights and freedoms of Data Subjects; and
d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. process that Personal Data only in accordance with Schedule 1 unless the Contractor written instructions of the Customer and only to the extent that is necessary for the provision of the Services under this Agreement or as is required by law or any regulatory body;
13.3.2 not engage a sub-processor to do otherwise undertake any Processing of any Personal Data without the prior written authorisation of the Customer. Where such authorisation is granted by Law. If it is so required the Contractor shall promptly notify the Customer before processing (at its sole discretion), the Supplier shall ensure that it enters into a contract with that sub-processor on the same or equivalent terms as are set out in this clause;
13.3.3 ensure that persons authorised to Process the Personal Data unless prohibited by Law;
b. ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), having taken account of the:
i. nature of the data to be protected;
ii. harm that might result from a Data Loss Event;
iii. state of technological development; and
iv. cost of implementing any measures;
c. ensure that :
i. the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1);
ii. it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they:
1. are aware of and comply with the ContractorSupplier’s duties under this clause;
2. are subject 13.3.4 ensure that persons authorised to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. are informed of the confidential nature of Process the Personal Data and do not have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
13.3.5 ensure that none of the Supplier’s employees publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; andCustomer;
4. 13.3.6 ensure that persons authorised to Process the Personal Data have undergone adequate training been trained in the use, care, protection and handling of Personal Data; and;
d. 13.3.7 not transfer any Personal Data to any country or territory outside of the European Union unless Economic Area without the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. the Data Subject has enforceable rights and effective legal remedies;
iii. the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
iv. the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e. 13.3.8 at the written direction of the Customer, delete or return all the Personal Data (and any copies of it) to the Customer on termination after the end of the Agreement provision of Services, and delete existing copies, unless the Contractor is required by Law Supplier has a statutory duty to retain that Personal Data. If the Supplier believes that it does have such a statutory duty, this should be notified to the Customer in writing at least three (3) months prior to the expiry or termination (whichever is earlier) of this Agreement;
13.3.9 assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to Subject Access Requests, as well as providing all assistance and cooperation as the Customer may require to investigate or deal with any such Subject Access Requests;
13.3.10 ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data.
13.5. Subject Data and/or accidental loss, destruction or damage to clause 13.6 the Contractor shall notify the Customer immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it:
a. receives a Data Subject Request (or purported Data Subject Request);
b. receives a request to rectify, block or erase any Personal Data;
c. receives any other request13.3.11 insofar as this is possible given the nature of Processing and the information available to the Supplier, complaint or communication relating assist the Customer in ensuring compliance with its obligations pursuant to either Party's obligations under the Data Protection Legislation;
d. receives 13.3.12 notify the Customer of any actual or potential Personal Data Breach within 24 hours of its occurrence (or, in the case of a potential breach, the Supplier becoming aware of such breach), along with all supporting facts and information sufficient to allow the Customer to make any required report(s) to any relevant Data Subjects, the Information Commissioner or other regulatory or governmental body or bodies to which it is subject;
13.3.13 notify the Customer immediately if it receives:
a) a request from a Data Subject to have access to that person’s Personal Data;
b) a request to rectify, erase or cease processing Personal Data;
c) any communication from the Information Commissioner or any other regulatory authority;
e. receives d) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Lawlaw; or
f. becomes aware of e) a Data Loss Event.
13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information complaint or request relating to the Customer in phases, as details become available.Customer’s obligations under the Data Protection Legislation;
13.7. Taking into account the nature of the processing, the Contractor shall 13.3.14 provide the Customer with full cooperation and assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication complaint or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) made, including by promptly providingby:
a. a) providing the Customer with full details and copies of the complaint, communication complaint or request;
b. such assistance as is reasonably requested by the Customer to enable the Customer to comply b) complying with a Data Subject Access Request within the relevant timescales set out in the Data Protection LegislationLegislation and in accordance with the Customer’s instructions;
c. c) providing the Customer, at its request, Customer with any Personal Data it holds in relation to a Data Subject;
d. assistance as Subject (within the timescales required by the Customer); and d) providing the Customer with information requested by the Customer following any Data Loss EventCustomer;
e. assistance as requested by 13.3.15 make available to the Customer with respect Customer, at reasonable intervals and within twenty one (21) days following a request for such, all information necessary to any request from the Information Commissioner’s Office, or any consultation by the Customer demonstrate compliance with the Information Commissioner's Office.
13.8. The Contractor shall maintain complete obligations laid down in the Data Protection Legislation and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. the Customer determines that the processing is not occasional;
b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. The Contractor shall allow for audits of its Personal Data processing activity and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer’s designated auditor.
13.10. Each Party 13.4 The Supplier shall designate its own comply at all times with the Data Protection Officer if required by Legislation and shall not perform its obligations under this Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation.
13.11. Before allowing 13.5 The Supplier shall indemnify and keep indemnified the Customer against all demands, actions, proceedings, claims, damages, liabilities, costs and expenses (including reasonable legal costs) incurred by it in respect of any breach of this clause by the Supplierand/or any act or omission of any Sub-processor to process any Personal Data related to Contractor appointed by the Supplier.
13.6 The provisions of this Agreement, clause shall apply during the Contractor must:
a. notify the Customer in writing continuance of the intended Sub-processor Agreement and processing;indefinitely after its termination.
13.7 In the event of conflict between any provision in the Agreement and this clause the provisions of this clause shall take precedence.
Appears in 1 contract
Protection of Personal Data and Security of Data. 13.1. The Parties acknowledge that for 14.1 In this Clause 14, the purposes of terms "data controller" and "data processor" shall have the same meanings given to them under Data Protection Legislation, .
15.2 The Supplier acknowledges the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1. The only processing Processing (if any) that the Contractor it is authorised to do is listed in Schedule 1 4 (Processing Personal Data) by the Customer and may not be determined by the ContractorUKRI.
13.2. 15.3 The Contractor Supplier shall notify the Customer UKRI immediately if it considers that any of the CustomerUKRI’s instructions infringe the Data Protection Legislation.
13.3. 15.4 The Contractor Supplier shall provide all reasonable assistance to the Customer UKRI in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the CustomerUKRI, include:
a. 15.4.1 a systematic description of the envisaged processing operations Processing and the purpose of the processingProcessing;
b. 15.4.2 an assessment of the necessity and proportionality of the processing operations Processing in relation to the Goods and/or Services;
c. 15.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and
d. 15.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 15.5 The Contractor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this AgreementContract:
a. process 15.5.1 Process that Personal Data only in accordance with Schedule 1 4 (Processing Personal Data), unless the Contractor Supplier is required to do otherwise by Law. If it is so required required, the Contractor Supplier shall promptly notify the Customer UKRI before processing Processing the Personal Data unless prohibited by Law;
b. 15.5.2 ensure that it has in place Protective Measures Measures, (if the Supplier is holding UKRI Data, including back-up data, that it is held by a secure system that complies with the Security Policy and any applicable Security Management Plan) which are appropriate to protect against a Data Loss Event, which the Customer UKRI may reasonably reject (but failure to reject shall not amount to approval by the Customer UKRI of the adequacy of the Protective Measures), ) having taken account of the:
i. a) nature of the data to be protected;
ii. b) harm that might result from a Personal Data Loss EventBreach;
iii. c) state of technological development; and
iv. d) cost of implementing any measures;
c. 15.5.3 ensure that that:
i. a) the Supplier Staff do not process Process Personal Data except in accordance with this Agreement the Contract (and in particular Schedule 14 (Processing Personal Data));
ii. b) it takes uses all reasonable steps endeavours to ensure the reliability and integrity of any Supplier Staff who have access to the Personal Data and ensure that they:
1. (i) are aware of and comply with the ContractorSupplier’s duties under this clauseClauses 15 and 13;
2. (ii) are subject to appropriate confidentiality undertakings with the Contractor Supplier or any Subsub-processor;
3. (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer UKRI or as otherwise permitted by this AgreementContract; and
4. (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and;
d. 15.5.4 not transfer Personal Data outside of the European Union UK unless the prior written consent of the Customer UKRI has been obtained and the following conditions are fulfilled:
i. a) the Customer transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
b) UKRI or the Contractor Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with the UK GDPR Article 46 or LED Article 37section 75 of the DPA 2018) as determined by UKRI which could include relevant parties entering into the CustomerInternational Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures determined by UKRI;
ii. c) the Data Subject (as defined by the Data Protection Act 2018) has enforceable rights and effective legal remedies;
d) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist UKRI in meeting its obligations); and
e) the Supplier complies with any reasonable instructions notified to it in advance by UKRI with respect to the Processing of the Personal Data;
15.5.5 where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of UKRI has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party;
c) the Data Subject has enforceable rights and effective legal remedies;
iii. d) the Contractor transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer non-transferring Party in meeting its obligations); and
iv. e) the Contractor transferring Party complies with any reasonable instructions notified to it in advance by the Customer non-transferring Party with respect to the processing of the Personal Data;; and
e. 15.5.6 at the written direction of the CustomerUKRI, delete or return Personal Data (and any copies of it) to the Customer UKRI on termination of the Agreement this Contract unless the Contractor Supplier is required by Law to retain the Personal Data.
13.5. 15.6 Subject to clause 13.6 Clause 15.7, the Contractor Supplier shall notify the Customer UKRI immediately if, if in relation to any it Processing Personal Data processed under or in connection with its obligations under this Agreement, Contract it:
a. 15.6.1 receives a Data Subject Access Request (or purported Data Subject Access Request);
b. 15.6.2 receives a request to rectify, block or erase any Personal Data;
c. 15.6.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. 15.6.4 receives any communication from the Information Commissioner or any other regulatory authorityauthority in connection with Personal Data Processed under the Contract;
e. 15.6.5 receives a request from any third party Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. 15.6.6 becomes aware of a Personal Data Loss EventBreach.
13.6. 15.7 The ContractorSupplier’s obligation to notify under clause 13.5 Clause 15.6 shall include the provision of further information to the Customer in phasesUKRI, as details become available.
13.7. 15.8 Taking into account the nature of the processingProcessing, the Contractor Supplier shall provide the Customer UKRI with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 15.6 (and insofar as possible within the timescales reasonably required by the CustomerUKRI) including by promptly immediately providing:
a. the Customer 15.8.1 UKRI with full details and copies of the complaint, communication or request;
b. 15.8.2 such assistance as is reasonably requested by the Customer UKRI to enable the Customer it to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c. the Customer15.8.3 UKRI, at its request, with any Personal Data it holds in relation to a Data Subject;
d. 15.8.4 assistance as requested by the Customer UKRI following any Personal Data Loss Event;Breach; and/or
e. 15.8.5 assistance as requested by the Customer UKRI with respect to any request from the Information Commissioner’s OfficeOffice or any other regulatory authority, or any consultation by the Customer UKRI with the Information Commissioner's OfficeOffice or any other regulatory authority.
13.8. 15.9 The Contractor Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13Clause 15. This requirement does not apply where the Contractor Supplier employs fewer than 250 staff, unless:
a. the Customer 15.9.1 UKRI determines that the processing Processing is not occasional;
b. the Customer 15.9.2 UKRI determines the processing Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
c. the Customer 15.9.3 UKRI determines that the processing Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. 15.10 The Contractor Supplier shall allow for audits of its Personal Data processing Processing activity by the Customer UKRI or the CustomerUKRI’s designated auditor.
13.10. Each Party 15.11 The Parties shall designate its own a Data Protection Officer if required by the Data Protection Legislation.
13.11. 15.12 Before allowing any Subsub-processor to process any Personal Data related to this Agreementthe Contract, the Contractor Supplier must:
a. 15.12.1 notify the Customer UKRI in writing of the intended Subsub-processor and processing;
15.12.2 obtain the written consent of UKRI;
15.12.3 enter into a written agreement with the sub-processor which give effect to the terms set out in this Clause 15 such that they apply to the sub-processor; and
15.12.4 provide UKRI with such information regarding the sub-processor as UKRI may reasonably require.
15.13 To the extent that UKRI provides its consent pursuant to clause 15.12, the Supplier shall flow down the contractual obligations contained in this clause 15 to sub-processors. For the avoidance of doubt, the Supplier shall remain fully liable for all acts or omissions of any of its sub-processor.
15.14 UKRI may, at any time on not less than 30 Working Days’ notice, revise this Clause 15 by replacing it with any applicable controller to Supplier standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract).
15.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. UKRI may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Contract for the Supply of Foia Section 43 Commercial Monitoring and Evaluation Follow on Study
Protection of Personal Data and Security of Data. 13.1. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 1Processor. The only processing that the Contractor is authorised to do is listed in GDPR Schedule 1 by the Customer Council and may not be determined by the Contractor.
13.2. 2.2 The Contractor shall notify the Customer Council immediately if it considers that any of the Customer’s Council's instructions infringe the Data Protection Legislation.
13.3. 2.3 The Contractor shall provide all reasonable assistance to the Customer Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the CustomerCouncil, include:
a. : a systematic description of the envisaged processing operations and the purpose of the processing;
b. ; an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c. ; an assessment of the risks to the rights and freedoms of Data Subjects; and
d. and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
13.4. 2.4 The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
a. : process that Personal Data only in accordance with Schedule 1 GDPR Schedule, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Customer Council before processing the Personal Data unless prohibited by Law;
b. ; ensure that it has in place Protective Measures Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Customer may reasonably reject (but failure to reject shall not amount to approval by the Customer of the adequacy of the Protective Measures), Event having taken account of the:
i. : nature of the data to be protected;
ii. ; harm that might result from a Data Loss Event;
iii. ; state of technological development; and
iv. and cost of implementing any measures;
c. ; ensure that :
i. : the Contractors’ Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1GDPR Schedule);
ii. ; it takes all reasonable steps to ensure the reliability and integrity of any of the Contractors’ Staff who have access to the Personal Data and ensure that they:
1. : are aware of and comply with the Contractor’s duties under this clause;
2. ; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor;
3. ; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Customer Council or as otherwise permitted by this Agreement; and
4. and have undergone adequate training in the use, care, protection and handling of Personal Data; and
d. and not transfer Personal Data outside of the European Union EU unless the prior written consent of the Customer Council has been obtained and the following conditions are fulfilled:
i. : the Customer Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. Council; the Data Subject has enforceable rights and effective legal remedies;
iii. ; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer Council in meeting its obligations); and
iv. the and Contractor complies with any reasonable instructions notified to it in advance by the Customer Council with respect to the processing of the Personal Data;
e. ; at the written direction of the CustomerCouncil, delete or return Personal Data (and any copies of it) to the Customer Council on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
13.5. 2.5 Subject to clause 13.6 2.6, the Contractor shall notify the Customer Council immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, if it:
a. receives a Data Subject Request (or purported Data Subject Request);
b. receives a request to rectify, block or erase any Personal Data;
c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
d. receives any communication from the Information Commissioner or any other regulatory authority;
e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f. becomes aware of a Data Loss Event.
13.6. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available.
13.7. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Agreement and any complaint, communication or request made under Clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
a. the Customer with full details and copies of the complaint, communication or request;
b. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
c. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
d. assistance as requested by the Customer following any Data Loss Event;
e. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office.
13.8. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 13. This requirement does not apply where the Contractor employs fewer than 250 staff, unless:
a. the Customer determines that the processing is not occasional;
b. the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
c. the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
13.9. The Contractor shall allow for audits of its Personal Data processing activity by the Customer or the Customer’s designated auditor.
13.10. Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation.
13.11. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must:
a. notify the Customer in writing of the intended Sub-processor and processing;
Appears in 1 contract
Sources: GDPR Data Protection Schedule