Common use of Security of Clause in Contracts

Security of. processing where acting as a processor 3.4.1 Each Member acknowledges that from time to time it may process Personal Data as a processor (Processor Member) on behalf of any and all of the other Members (the Controller Member) whether as a result of compliance with the BCRs or otherwise. The Member will ensure at all times that it is clearly documented where responsibility lies for the processing of such Personal Data in accordance with the GDPR. 3.4.2 Each Member agrees and acknowledges that compliance with the BCRs, particularly in relation to security measures, constitutes sufficient guarantees relating to the technical and organisational security measures governing the processing to be carried out by the Member to satisfy the requirements of the Article 32 of the GDPR. 3.4.3 The information required by Article 28(3) of the GDPR in relation to the subject-matter, duration, nature and purpose of the processing, type of Personal Data and categories of Data Subjects, is set out in the BCRs. 3.4.4 Each Processor Member undertakes to the Controller Member that it shall: (a) Instructions: subject to Clause 3.4.5, only process the Personal Data: (i) on the documented instructions of the Controller Member, including with regard to transfers of Personal Data to a third country or international organisation; or (ii) as required by law applicable to the Processor Member, provided that the Processor Member first informs the Controller Member in written form of that legal requirement before processing unless that law prohibits this on important grounds of public interest; (b) Staff: ensure the Processor Member staff authorised to process the Personal Data have committed themselves to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality; DocuSign Envelope ID: 85BF9186-F695-42D4-84F2-5A2035C1EA94 (c) Security: take all measures required by Article 32 (Security of Processing) of the GDPR;

Security of. processing where acting as a processor 3.4.1 Each Member acknowledges that from time to time it may process Personal Data as a processor (the Processor Member) on behalf of any and all of the other Members (the Controller Member) whether as a result of compliance with the BCRs or otherwise. The Member will ensure at all times that it is clearly documented where responsibility lies for the processing of such Personal Data in accordance with the UK GDPR. 3.4.2 Each Member agrees and acknowledges that compliance with the BCRs, particularly in relation to security measures, constitutes sufficient guarantees relating to the technical and organisational security measures governing the processing to be carried out by the Member to satisfy the requirements of the Article 32 of the UK GDPR. 3.4.3 The information required by Article 28(3) of the UK GDPR in relation to the subject-matter, duration, nature and purpose of the processing, type of Personal Data and categories of Data Subjects, is set out in the BCRs. 3.4.4 Each Processor Member undertakes to the Controller Member that it shall: (a) Instructions: subject to Clause 3.4.5, only process the Personal Data: (i) on the documented instructions of the Controller Member, including with regard to transfers of Personal Data to a third country or international organisationorganization; or (ii) as required by law applicable to the Processor Member, provided that the Processor Member first informs the Controller Member in written form of that legal requirement before processing unless that law prohibits this on important grounds of public interest; (b) Staff: ensure the Processor Member staff authorised to process the Personal Data have committed themselves to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality; DocuSign Envelope ID: 85BF9186-F695-42D4-84F2-5A2035C1EA94; (c) Security: take all measures required by Article 32 (Security of Processing) of the UK GDPR;