Common use of Scope of Processing Clause in Contracts

Scope of Processing. 2.1 The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure necessary legal basis for collecting, processing and transfer of Personal Data. 2.2 The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection of Personal Data. 2.3 This Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1. 2.4 The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller: ● for the purposes of those Services and not for any other purpose; ● to the extent and in such manner as is necessary for those purposes; and ● strictly in accordance with the express authorization and instructions of designated contacts at the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor). 2.5 The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws. 2.6 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation. 2.7 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data. 2.8 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO. 2.9 Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall: 2.9.1 not process the Personal Data outside the European Union without the prior written consent of the Controller and, where the Controller consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation; 2.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO; 2.9.3 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller; 2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure; and 2.9.5 if so requested by the Controller (and within the timescales required by the Controller) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access. 2.10 On at least 10 days' prior notice, the Processor shall permit persons authorised by the Controller to enter into any premises on which the Personal Data provided by the Controller to the Processor is processed, and to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this Agreement. 2.11 The Processor shall notify the Controller (within two working days) if it receives: 2.11.1 a request from a data subject to have access to that person’s Personal Data; or 2.11.2 a complaint or request relating to the Controller’s obligations under the Data Protection Legislation. 2.10 The Processor agrees to provide the Controller with full co-operation and assistance in relation to any complaint or request made, including by: 2.12.1 providing the Controller with full details of the complaint or request; 2.12.2 complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions; 2.12.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller); 2.12.4 providing the Controller with any information requested by the Controller; 2.13 notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.

Scope of Processing. 2.1 The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure necessary legal basis for collecting, processing and transfer of Personal Data. 2.2 . The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection of Personal Data. 2.3 . This Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1. 2.4 . The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller: ● for the purposes of those Services and not for any other purpose; ● to the extent and in such manner as is necessary for those purposes; and ● strictly in accordance with the express authorization and instructions of designated contacts at the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor). 2.5 . The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws. 2.6 . The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation. 2.7 . The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data. 2.8 . The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO. 2.9 . Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall: 2.9.1 not process the Personal Data outside the European Union without the prior written consent of the Controller and, where the Controller consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation; 2.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO; 2.9.3 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller; 2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure; and 2.9.5 if so requested by the Controller (and within the timescales required by the Controller) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access. 2.10 On at least 10 days' prior notice, the Processor shall permit persons authorised by the Controller to enter into any premises on which the Personal Data provided by the Controller to the Processor is processed, and to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this Agreement. 2.11 The Processor shall notify the Controller (within two working days) if it receives: 2.11.1 a request from a data subject to have access to that person’s Personal Data; or 2.11.2 a complaint or request relating to the Controller’s obligations under the Data Protection Legislation. 2.10 The Processor agrees to provide the Controller with full co-operation and assistance in relation to any complaint or request made, including by: 2.12.1 providing the Controller with full details of the complaint or request; 2.12.2 complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions; 2.12.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller); 2.12.4 providing the Controller with any information requested by the Controller; 2.13 notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.

Scope of Processing. 2.1 The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure necessary legal basis for collecting, processing and transfer of Personal Data. 2.2 The terms of this Agreement supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection of Personal Data. 2.3 This Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1. 2.4 The nature and the purpose of the processing, including operations and activities, are specified in Schedule 1 but the Processor is only to carry out the Services, and only to process Personal Data received from the Controller: ● for the purposes of those Services and not for any other purpose; ● to the extent and in such manner as is necessary for those purposes; and ● strictly in accordance with the express authorization and instructions of designated contacts at the Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Controller to the Processor). 2.5 The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws. 2.6 The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation. 2.7 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer or delete the Personal Data. 2.8 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICOICO – additional costs may be incurred which the Data Controller will need to settle. 2.9 Where the Processor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall: 2.9.1 not process the Personal Data outside the European Union without the prior written consent of the Controller and, where the Controller consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation; 2.9.2 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO; 2.9.3 implement appropriate technical and organisational measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller; 2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure; and 2.9.5 if so requested by the Controller (and within the timescales required by the Controller) supply details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access. 2.10 On at least 10 14 days' prior notice, the Processor shall permit persons authorised by the Controller to enter into any premises on which the Personal Data provided by the Controller to the Processor is processed, and to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this AgreementAgreement – visits for sub-processors may be chargeable. 2.11 The Processor shall notify the Controller (within two working dayswithout undue delay) if it receives: 2.11.1 a request from a data subject to have access to that person’s Personal Data; or 2.11.2 a complaint or request relating to the Controller’s obligations under the Data Protection Legislation. 2.10 The Processor agrees to provide the Controller with full co-operation and assistance in relation to any complaint or request made, including by: 2.12.1 providing the Controller with full details of the complaint or request; 2.12.2 complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions; 2.12.3 providing the Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Controller); 2.12.4 providing the Controller with any information requested by the Controller; 2.13 notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of any of the Personal Data.

Scope of Processing. 2.1 1. The Controller determines the purposes and means of the processing Processing of Personal Data. The Controller shall at all times comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure necessary legal ensuring that it has a sufficient and valid lawful basis for collectingproviding any Personal Data to the Processor, processing and transfer of Personal Dataauthorising the Processor, to perform its obligations, activities and exercise its rights under this DPA. 2.2 2. The terms of this Agreement DPA supersede any other arrangement, understanding or agreement made between the Parties at any time relating to protection Processing of Personal Data. 2.3 3. This Agreement DPA concerns the Processor's processing Processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the Services or otherwise as described in Schedule 1. 2.4 4. The nature and the purpose of the processingProcessing, including operations and activities, are specified in Schedule 1 but the 1. The Processor is only to carry out the Services, and only to process shall Process Personal Data received from the Controller: ● : 4.1. for the purposes of those the Services and not for any other purpose; ● as set out in Schedule 1; 4.2. to the extent and in such manner as is necessary for those purposes; and ● strictly and 4.3. in accordance with the express authorization and documented instructions of designated contacts at the Controller (which may must be specific instructions or instructions of a general nature or as instructions) unless the Processor is required to do otherwise notified by law (in which case the Processor will inform the Controller of such legal requirement prior to the Processorprocessing, unless prohibited from doing so on legal grounds). 2.5 The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with its documented instructions and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws. 2.6 5. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation. 2.7 6. The Processor shall promptly comply with appropriately respond to any request from the Controller requiring the Processor to amend, transfer or delete delete, or stop the further Processing of the Personal Data. 2.8 The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and all applicable legislation from time to time in force and any best practice guidance issued by the ICO. 2.9 7. Where the Processor processes Processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Controller it shall: 2.9.1 not process the Personal Data outside the European Union without the prior written consent of the Controller and, where the Controller consents to such a transfer, to comply with the transfer obligations of Chapter V of the Data Protection Legislation; 2.9.2 process 7.1. Process the Personal Data only to the extent, and in such manner, as is necessary in order to properly provide the Services and comply with its obligations to the Controller or as is required by law or any regulatory body including but not limited to the ICO; 2.9.3 7.2. implement and maintain appropriate technical and organisational measures measures, and take all steps necessary necessary, to protect the Personal Data against unauthorised or unlawful processing Processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested from the Controller; 2.9.4 any transfer of Personal Data is subject to the Data Protection Legislation’s standard contractual clauses or other legal basis for such transfer or disclosure; and 2.9.5 7.3. if so requested by the Controller (and within the reasonable timescales required by the Controller) supply details reasonably sufficient detail of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.; 2.10 On 7.4. make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations detailed in this DPA; and 7.5. upon the Controller’s request, and at least 10 days' prior noticethe Controller’s cost, the Processor shall permit persons authorised allow for and contribute to audits, including inspections, conducted by the Controller to enter into any premises on which or the Personal Data Controller’s approved professionally-appointed auditor provided by that the Controller gives to the Processor is processed, reasonably sufficient (and no less than 8 weeks’) written notice and such audits are limited to inspect the Processor’s facilities, equipment, documents and electronic data relating to the processing of the Personal Data. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this Agreementonce every calendar year. 2.11 8. The Processor shall notify the Controller (within two working days) if it receives: 2.11.1 8.1. a request from a data subject to have Data Subject for access to to, correction, restriction, portability or deletion of that person’s Personal Data or an objection from that person regarding the Processing of their Personal Data; or 2.11.2 8.2. a complaint or request relating to the Controller’s obligations under the Data Protection Legislation. 2.10 The 9. Taking into account the nature of the Processing, the Processor agrees to provide the Controller with full co-operation and assistance all reasonable assistance, insofar as this is possible, in relation to any complaint or request madefulfilling the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Data Protection Legislation, including (where appropriate and applicable) by: 2.12.1 9.1. providing the Controller with full details reasonably sufficient detail of the complaint or request; 2.12.2 9.2. complying with a data access request within the relevant timescale and in accordance with the Controller’s instructions; 2.12.3 9.3. providing the Controller with any Personal Data it holds in relation to a data subject Data Subject (within the timescales required by the ControllerController under UK GDPR); 2.12.4 9.4. providing the Controller with any information reasonably requested by the Controller; 2.13 notify Controller in order to enable the Controller immediately if it becomes aware of to fulfil its obligation under Data Protection Legislation; provided that the Controller shall bear any unauthorised or unlawful processing, loss of, damage costs accrued by the Processor related to or destruction of any of the Personal Datasuch co-operation and assistance.