Common use of Security and Protection Clause in Contracts

Security and Protection. 8.1 Each Party will process data (whether Contract Data, Party Data or Services Data), which may include personal data (such as the personal data of end users or a Party's staff), for the purposes of performing its obligations and exercising its rights under or in connection with the DSC. 8.2 When acting as a data processor, the relevant Party shall: (a) process Controller Data: (i) only on the documented instructions of the data controller. For the purposes of the DSC, those instructions are as set out in this Clause 8, the CDSP Service Description, or as otherwise notified in writing by the data controller to the data processor. The data processor reserves the right to charge the data controller for any material change or addition to the instructions set out in the DSC; and (ii) as required by European Union or English law applicable to the data processor, in which case the data processor shall first inform the data controller of the legal requirement, unless that law prohibits such prior notification; (b) not engage any sub-processor if such engagement will have a material adverse effect on the data controller (and the relevant data controller hereby authorises the data processor to engage a sub-processor, provided such engagement will not have a material adverse effect on the data controller); (c) not transfer any Controller Data to any country or territory outside the European Economic Area without obtaining the prior written consent of the data controller and provided that such transfer also complies with Data Protection Law; (d) implement appropriate technical and organisational measures to ensure the security of the Controller Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage; and (e) permit the data controller, or a third party auditor acting on the data controller's behalf and bound by a confidentiality agreement that is acceptable to the data processor, to conduct, at the data controller's cost, annual audits concerning the data processor’s compliance with the DSC. The data controller is entitled to more frequent audits if this is required by Data Protection Law. The data processor may provide sufficient evidence of its compliance with these procedures in lieu of conducting any such audits. 8.3 In addition to Clause 8.1, when acting as a data processor, the relevant Party shall: (a) where this is technically possible, implement appropriate technical and organisational measures and provide the data controller with assistance in promptly complying with any data subject right requests (including access requests) received by the data controller in respect of the Controller Data. Such assistance shall involve following the data controller's detailed written instructions to release, modify or delete, or restrict access to, the Controller Data. The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(a); (b) notify the data controller without undue delay if it becomes aware of any Data Breach that, in its reasonable opinion, is likely to result in a risk to the rights and freedoms of natural persons. Such notification shall include the following information, to the extent it is available: (i) the nature of the Data Breach; (ii) the nature of the personal data affected; (iii) the categories and number of data subjects concerned; (iv) the approximate number of personal data records concerned; and (v) measures taken or proposed to be taken by the data processor to address the Data Breach; (c) on request of the data controller, provide a summary of the technical and organisational security measures it has implemented under Clause 8.2(d) in respect of the Controller Data; (d) notify the data controller prior to adopting any new type of processing in respect of Controller Data that, in the data processor's reasonable opinion, is likely to result in a risk to the rights and freedoms of natural persons; (e) assist the data controller in preparing a data protection impact assessment in respect of any new type of processing proposed to be performed under the DSC. The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(e); and (f) provide reasonable assistance to the data controller where the data controller is required by law to consult a Supervisory Authority regarding any new type of processing proposed under Clause 8.3(d). The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(f). 8.4 When acting as a data controller, the relevant Party shall provide the data processor with such assistance and co-operation as the data processor may reasonably request to enable the data processor to comply with its obligations under Data Protection Law and the DSC, including the following: (a) on request of the data processor, promptly providing all information necessary for the data processor to comply with any obligations imposed on it by Data Protection Law or the DSC in relation to the Controller Data; and (b) informing the data processor immediately in writing of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority (including the Information Commissioner's Office) or any data subject relating to the performance of the DSC Services by the data processor. 8.5 The data controller warrants that: (a) it shall at all times collect, transfer to the data processor and otherwise process all Controller Data in accordance with Data Protection Law and the DSC; (b) without limiting Clause 8.5(a), it has provided all required notices and obtained all required consents from affected data subjects; and (c) in light of the nature of the Controller Data, the technical and organisational security measures that the data controller has adopted and the data processor has implemented under Clause 8.2(d) ensure a level of security appropriate to the risk.

Security and Protection. ‌ 8.1 Each Party will process data (whether Contract Data, Party Data or Services Data), which may include personal data (such as the personal data of end users or a Party's staff), for the purposes of performing its obligations and exercising its rights under or in connection with the DSC. 8.2 When acting as a data processor, the relevant Party shall: (a) process Controller Data: (i) only on the documented instructions of the data controller. For the purposes of the DSC, those instructions are as set out in this Clause 8, the CDSP Service Description, or as otherwise notified in writing by the data controller to the data processor. The data processor reserves the right to charge the data controller for any material change or addition to the instructions set out in the DSC; and (ii) as required by European Union or English law applicable to the data processor, in which case the data processor shall first inform the data controller of the legal requirement, unless that law prohibits such prior notification; (b) not engage any sub-processor if such engagement will have a material adverse effect on the data controller (and the relevant data controller hereby authorises the data processor to engage a sub-processor, provided such engagement will not have a material adverse effect on the data controller); (c) not transfer any Controller Data to any country or territory outside the European Economic Area without obtaining the prior written consent of the data controller and provided that such transfer also complies with Data Protection Law; (d) implement appropriate technical and organisational measures to ensure the security of the Controller Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage; andand‌ (e) permit the data controller, or a third party auditor acting on the data controller's behalf and bound by a confidentiality agreement that is acceptable to the data processor, to conduct, at the data controller's cost, annual audits concerning the data processor’s compliance with the DSC. The data controller is entitled to more frequent audits if this is required by Data Protection Law. The data processor may provide sufficient evidence of its compliance with these procedures in lieu of conducting any such audits. 8.3 In addition to Clause 8.1, when acting as a data processor, the relevant Party shall: (a) where this is technically possible, implement appropriate technical and organisational measures and provide the data controller with assistance in promptly complying with any data subject right requests (including access requests) received by the data controller in respect of the Controller Data. Such assistance shall involve following the data controller's detailed written instructions to release, modify or delete, or restrict access to, the Controller Data. The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(a); (b) notify the data controller without undue delay if it becomes aware of any Data Breach that, in its reasonable opinion, is likely to result in a risk to the rights and freedoms of natural persons. Such notification shall include the following information, to the extent it is available: (i) the nature of the Data Breach; (ii) the nature of the personal data affected; (iii) the categories and number of data subjects concerned; (iv) the approximate number of personal data records concerned; and (v) measures taken or proposed to be taken by the data processor to address the Data Breach; (c) on request of the data controller, provide a summary of the technical and organisational security measures it has implemented under Clause 8.2(d) in respect of the Controller Data; (d) notify the data controller prior to adopting any new type of processing in respect of Controller Data that, in the data processor's reasonable opinion, is likely to result in a risk to the rights and freedoms of natural persons; (e) assist the data controller in preparing a data protection impact assessment in respect of any new type of processing proposed to be performed under the DSC. The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(e); and (f) provide reasonable assistance to the data controller where the data controller is required by law to consult a Supervisory Authority regarding any new type of processing proposed under Clause 8.3(d). The data processor reserves the right to charge the data controller for its compliance with this Clause 8.3(f). 8.4 When acting as a data controller, the relevant Party shall provide the data processor with such assistance and co-operation as the data processor may reasonably request to enable the data processor to comply with its obligations under Data Protection Law and the DSC, including the following: (a) on request of the data processor, promptly providing all information necessary for the data processor to comply with any obligations imposed on it by Data Protection Law or the DSC in relation to the Controller Data; and (b) informing the data processor immediately in writing of any enquiry, complaint, notice or other communication it receives from any Supervisory Authority (including the Information Commissioner's Office) or any data subject relating to the performance of the DSC Services by the data processor. 8.5 The data controller warrants that: (a) it shall at all times collect, transfer to the data processor and otherwise process all Controller Data in accordance with Data Protection Law and the DSC; (b) without limiting Clause 8.5(a), it has provided all required notices and obtained all required consents from affected data subjects; and (c) in light of the nature of the Controller Data, the technical and organisational security measures that the data controller has adopted and the data processor has implemented under Clause 8.2(d) ensure a level of security appropriate to the risk.