Roles and Restrictions on Processing. 3.1 If Company has access to or otherwise processes Personal Data pursuant to the Agreement, then Company shall: 3.1.1 only process the Personal Data in accordance with Partner’s documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. In such case, Company shall, to the extent legally permitted, promptly notify Partner of such legal obligation; 3.1.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision have access to and process, Personal Data; 3.1.3 without undue delay, and in any case within the period of time required in Data Protection Laws, assist Partner as needed to cooperate with and respond to requests from supervisory authorities, Data Subjects, customers, or others to provide information (including details of the services provided by Company) related to C o m p a n y ’s processing of Personal Data; 3.1.4 notify Partner without undue delay, and no later than seventy-two (72) hours, after becoming aware of a Security Incident; 3.1.5 provide full, reasonable cooperation and assistance to Partner in: 3.1.5.1 upon receipt of: (a) requests from Data Subjects to exercise their rights under the Data Protection Laws in connection with Personal Data processed under this DPA, including (without limitation) the right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or the right not to be subject to an automated individual decision making, the right to opt-out where applicable; and/or (b) any requests or inquiries from supervisory authorities, customers, or others, to provide information related to Company’s processing of Personal Data under this DPA; shall: (i) direct such requests to Partner without undue delay, and (ii) not respond or act upon such requests without prior written approval from Partner; and (iii) promptly, and in any case within the period of time required in Data Protection Laws, provide full, reasonable cooperation and assistance to Partner in responding to and exercising such requests, except that the foregoing shall not apply only and insofar as it conflicts with Data Protection Laws. 3.1.6 only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement; 3.1.7 as required under Data Protection Laws, maintain accurate written records of any and all the processing activities of any Personal Data carried out under the Agreement (including the categories of processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the Partner and applicable supervisory authority on request; in the event the records and documentation provided are not sufficient for the purpose of demonstrating compliance, the Company shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Partner, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Partner in the event the Company reasonably believes the auditor is not suitably qualified or is a competitor of the Company. The Partner shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Nothing in this DPA will require the Company to either disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access: (i) any data of any other customer; (ii) internal accounting or financial information; (iii) any trade secret; (iv) any information that, in the Company’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Data Protection Laws; 3.1.8 not lease, sell or otherwise distribute Personal Data; 3.1.9 Partner shall be responsible to provide Company with any end-users’ opt-out or consent signals to enable Compay to process the Personal Data in accordance with Data Protection Laws. With respect to Personal Data collected under this DPA via cookies/pixels/beacons or similar tracking technologies (“Tracking Technologies”), Compay will comply, where and when legally necessary, with end user's opt-out or consent signals transmitted via Partner’s and/or its partners’ consent mechanisms or otherwise; promptly notify Partner of any investigation, litigation, arbitrated matter or other dispute relating to the Company or the processing of Personal Data under the Agreement; 3.1.10 promptly notify Partner in writing and provide Partner an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Partner; 3.1.11 upon termination of the Agreement, or upon Partner’s written request at any time during the term of the Agreement, Company shall cease to process any Personal Data received from Partner, and within a reasonable period will at the request of Partner: (1) return the Personal Data; or (2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws.
Appears in 1 contract
Sources: Data Processing Addendum
Roles and Restrictions on Processing. 3.1 If Company has access to or otherwise processes Personal Data pursuant to the Agreement, then Company shall:
3.1.1 only process the Personal Data in accordance with Partner’s documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. In such case, Company shall, to the extent legally permitted, promptly notify Partner of such legal obligation;
3.1.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision have access to and process, Personal Data;
3.1.3 without undue delay, and in any case within the period of time required in Data Protection Laws, assist Partner as needed to cooperate with and respond to requests from supervisory authorities, Data Subjects, customers, or others to provide information (including details of the services provided by Company) related to C o m p a n y ’s processing of Personal Data;
3.1.4 notify Partner without undue delay, and no later than seventy-two (72) hours, after becoming aware of a Security Incident;
3.1.5 provide full, reasonable cooperation and assistance to Partner in:
3.1.5.1 upon receipt of: (a) requests from Data Subjects to exercise their rights under the Data Protection Laws in connection with Personal Data processed under this DPA, including (without limitation) the right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or the right not to be subject to an automated individual decision making, the right to opt-out where applicable; and/or (b) any requests or inquiries from supervisory authorities, customers, or others, to provide information related to Company’s processing of Personal Data under this DPA; shall: (i) direct such requests to Partner without undue delay, and (ii) not respond or act upon such requests without prior written approval from Partner; and (iii) promptly, and in any case within the period of time required in Data Protection Laws, provide full, reasonable cooperation and assistance to Partner in responding to and exercising such requests, except that the foregoing shall not apply only and insofar as it conflicts with Data Protection Laws.
3.1.6 only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
3.1.7 as required under Data Protection Laws, maintain accurate written records of any and all the processing activities of any Personal Data carried out under the Agreement (including the categories of processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the Partner and applicable supervisory authority on request; in the event the records and documentation provided are not sufficient for the purpose of demonstrating compliance, the Company shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Partner, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Partner in the event the Company reasonably believes the auditor is not suitably qualified or is a competitor of the Company. The Partner shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Nothing in this DPA will require the Company to either disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access: (i) any data of any other customer; (ii) internal accounting or financial information; (iii) any trade secret; (iv) any information that, in the Company’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Data Protection Laws;
3.1.8 not lease, sell or otherwise distribute Personal Data;
3.1.9 Partner shall be responsible to provide Company with any end-users’ opt-out or consent signals to enable Compay Company to process the Personal Data in accordance with Data Protection Laws. With respect to Personal Data collected under this DPA via cookies/pixels/beacons or similar tracking technologies (“Tracking Technologies”), Compay Company will comply, where and when legally necessary, with end user's opt-out or consent signals transmitted via Partner’s and/or its partners’ consent mechanisms or otherwise; promptly notify Partner of any investigation, litigation, arbitrated matter or other dispute relating to the Company or the processing of Personal Data under the Agreement;
3.1.10 promptly notify Partner in writing and provide Partner an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Partner;
3.1.11 upon termination of the Agreement, or upon Partner’s written request at any time during the term of the Agreement, Company shall cease to process any Personal Data received from Partner, and within a reasonable period will at the request of Partner: (1) return the Personal Data; or (2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws.
Appears in 1 contract
Sources: Data Processing Addendum
Roles and Restrictions on Processing. 3.1 4.1 If Company Partner has access to or otherwise processes Processes Personal Data pursuant to the Agreement, then Company Partner shall:
3.1.1 4.1.1 only process Process the Personal Data in accordance with Partner’s Company's documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. In such case, Company shall, including where relevant with regards to the extent legally permitted, promptly notify Partner transfer of such legal obligationPersonal Data outside the EEA or to an international organization;
3.1.2 4.1.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and processProcess, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this DPA);
3.1.3 without undue delay4.1.3 promptly, and in any case within the period of time required in Data Protection Laws, assist Partner Company as needed to cooperate with and respond to requests from supervisory authorities, Data Subjects, customers, or others to provide information (including details of the services provided by CompanyPartner) related to C o m p a n y Partner’s processing Processing of Personal Data;
3.1.4 4.1.4 notify Partner the Company without undue delay, and no later than seventy-two twenty four (7224) hours, after becoming aware of a Security Incident;
3.1.5 4.1.5 provide full, reasonable cooperation and assistance to Partner Company in:
3.1.5.1 4.1.5.1 upon receipt of: (a) requests from Data Subjects to exercise their rights under the Data Protection Laws in connection with Personal Data processed Processed under this DPA, including (without limitation) the right of access, right to rectification, restriction of processingProcessing, erasure, data portability, object to the processingProcessing, or the right not to be subject to an automated individual decision making, the right to opt-out (where applicable); and/or (b) any requests or inquiries from supervisory authorities, customers, or others, to provide information related to CompanyPartner’s processing Processing of Personal Data under this DPA; , shall: (i) direct such requests to Partner Company without undue delay, and (ii) not respond or act upon such requests without prior written approval from PartnerCompany; and (iii) promptly, and in any case within the period of time required in Data Protection Laws, provide full, reasonable cooperation and assistance to Partner Company in responding to and exercising such requests, except that the foregoing shall not apply only and insofar as it conflicts with Data Protection Laws.
3.1.6 4.1.5.2 ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
4.1.5.3 ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
4.1.6 only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
3.1.7 as required under Data Protection Laws, maintain accurate written records of any and all the processing activities of any Personal Data carried out under the Agreement (including the categories of processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the Partner and applicable supervisory authority on request; in the event the records and documentation provided are not sufficient for the purpose of demonstrating compliance, the Company shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Partner, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Partner in the event the Company reasonably believes the auditor is not suitably qualified or is a competitor of the Company. The Partner shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Nothing in this DPA will require the Company to either disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access: (i) any data of any other customer; (ii) internal accounting or financial information; (iii) any trade secret; (iv) any information that, in the Company’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Data Protection Laws;
3.1.8 4.1.7 not lease, sell or otherwise distribute Personal Data;
3.1.9 Partner shall be responsible to provide Company with any end-users’ opt-out or consent signals to enable Compay to process the Personal Data in accordance with Data Protection Laws. With respect to Personal Data collected under this DPA via cookies/pixels/beacons or similar tracking technologies (“Tracking Technologies”), Compay will comply, where and when legally necessary, with end user's opt-out or consent signals transmitted via Partner’s and/or its partners’ consent mechanisms or otherwise; 4.1.8 promptly notify Partner Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Company or the processing Processing of Personal Data under the AgreementData;
3.1.10 promptly notify Partner in writing and provide Partner an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Partner;
3.1.11 4.1.9 upon termination of the Agreement, or upon Partner’s Company's written request at any time during the term of the Agreement, Company Partner shall cease to process Process any Personal Data received from PartnerCompany, and within a reasonable period will at the request of Partner: Company:
(1) return the Personal Data; or (2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.
Appears in 1 contract
Sources: Data Protection Addendum
Roles and Restrictions on Processing. 3.1 4.1 If Company Partner has access to or otherwise processes Processes Personal Data pursuant to the Agreement, then Company Partner shall:
3.1.1 4.1.1 only process Process the Personal Data in accordance with Partner’s Company's documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. In such case, Company shall, including where relevant with regards to the extent legally permitted, promptly notify Partner transfer of such legal obligationPersonal Data outside the EEA or to an international organization;
3.1.2 4.1.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and processProcess, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this DPA);
3.1.3 without undue delay4.1.3 promptly, and in any case within the period of time required in Data Protection Laws, assist Partner Company as needed to cooperate with and respond to requests from supervisory authorities, Data Subjects, customers, or others to provide information (including details of the services provided by CompanyPartner) related to C o m p a n y Partner’s processing Processing of Personal Data;
3.1.4 4.1.4 notify Partner the Company without undue delay, and no later than seventy-two twenty four (7224) hours, after becoming aware of a Security Incident;
3.1.5 4.1.5 provide full, reasonable cooperation and assistance to Partner Company in:
3.1.5.1 4.1.5.1 upon receipt of: (a) requests from Data Subjects to exercise their rights under the Data Protection Laws in connection with Personal Data processed Processed under this DPA, including (without limitation) the right of access, right to rectification, restriction of processingProcessing, erasure, data portability, object to the processingProcessing, or the right not to be subject to an automated individual decision making, the right to opt-out (where applicable); and/or (b) any requests or inquiries from supervisory authorities, customers, or others, to provide information related to CompanyPartner’s processing Processing of Personal Data under this DPA; , shall: (i) direct such requests to Partner Company without undue delay, and (ii) not respond or act upon such requests without prior written approval from PartnerCompany; and (iii) promptly, and in any case within the period of time required in Data Protection Laws, provide full, reasonable cooperation and assistance to Partner Company in responding to and exercising such requests, except that the foregoing shall not apply only and insofar as it conflicts with Data Protection Laws.
3.1.6 4.1.5.2 ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
4.1.5.3 ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
4.1.6 only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
3.1.7 4.1.7 as required under Data Protection Laws, maintain accurate written records of any and all the processing Processing activities of any Personal Data carried out under the Agreement (including the categories of processing Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the Partner and applicable supervisory authority on request; ;
4.1.8 make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in the event the records and documentation provided are not sufficient for the purpose of demonstrating compliance, the Company shall make available, solely upon prior reasonable written notice and no more than once per calendar yearits custody or under its control, to a reputable auditor nominated by the Partner, information necessary extent Partner has the ability to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Partner in the event the Company reasonably believes the auditor is not suitably qualified or is a competitor of the Company. The Partner shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Nothing in this DPA will require the Company to either disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access: (i) any data of any other customer; (ii) internal accounting or financial information; (iii) any trade secret; (iv) any information that, in the Company’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Data Protection Lawsdo so;
3.1.8 4.1.9 not lease, sell or otherwise distribute Personal Data;
3.1.9 Partner shall be responsible to provide Company with any end-users’ opt-out or consent signals to enable Compay to process the Personal Data in accordance with Data Protection Laws. With respect to Personal Data collected under this DPA via cookies/pixels/beacons or similar tracking technologies (“Tracking Technologies”), Compay will comply, where and when legally necessary, with end user's opt-out or consent signals transmitted via Partner’s and/or its partners’ consent mechanisms or otherwise; 4.1.10 promptly notify Partner Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Company or the processing Processing of Personal Data under the AgreementData;
3.1.10 4.1.11 promptly notify Partner Company in writing and provide Partner Company an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than PartnerCompany;
3.1.11 4.1.12 upon termination of the Agreement, or upon Partner’s Company's written request at any time during the term of the Agreement, Company Partner shall cease to process Process any Personal Data received from PartnerCompany, and within a reasonable period will at the request of Partner: Company:
(1) return the Personal Data; or (2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.
Appears in 1 contract
Sources: Data Protection Addendum