Subprocessing. 5.1 Each Company Group Member authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with section 6 of this DPA to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement. 5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4. 5.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken. 5.4 With respect to each Subprocessor, Vendor shall: 5.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement; 5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR; 5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to time. 5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 2 contracts
Subprocessing. 5.1 Each Company Group Member authorizes 6.1 Vendor shall only appoint subprocessors which enable Vendor to appoint (comply with Privacy Laws and permit this DPA, and Vendor shall obtain prior written authorisation in respect of each Subprocessor appointed subprocessor and shall not use any subprocessor to undertake Processing of the Protected Data without the prior written authorisation of Verint. Prior written authorisation includes where such subprocessors are referred to in accordance with section 6 the Cover Page of this DPA or otherwise agreed in writing by ▇▇▇▇▇▇, and each such authorised subprocessor shall deemed to appoint) Subprocessors in accordance with be an Authorised Subprocessor for the purposes of this section 5 DPA and any restrictions in the Principal Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at 6.2 Where ▇▇▇▇▇▇’s written authorisation in respect of an Authorised Subprocessor is included in the date Cover Page of this DPADPA and therefore such Authorised Subprocessor is classified as an existing appointed subprocessor of the Vendor, subject then Vendor shall provide written evidence upon ▇▇▇▇▇▇’s request to Vendor in each case as soon as practicable meeting enable Verint to verify the obligations set out in section 5.4Authorised Subprocessor’s activities relating to the Processing of Protected Data.
5.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.
5.4 6.3 With respect to each Authorised Subprocessor, Vendor shall:
5.4.1 6.3.1 before the Authorised Subprocessor first first Processes Company Personal Protected Data (or, where relevant, in accordance with section 5.2Section 6.2), carry out adequate due diligence to ensure that the Authorised Subprocessor is capable of providing the level of protection for Company Personal Protected Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; Principal Agreement and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) upon Verint’s request provide written evidence thereof;
6.3.2 ensure that each Authorised Subprocessor is subject to a Written Subcontract and ensure that each Written Subcontract contains a prohibition on further subcontracting of the GDPRProcessing of Protected Data (to any other subprocessor) unless with ▇▇▇▇▇▇’s prior written consent;
5.4.3 upon request 6.3.3 ensure the Written Subcontract incorporates the Standard Contractual Clauses in respect of any Processing by the Authorised Subcontractor that involves an Authorised Transfer under this DPA; and
6.3.4 provide to Company Verint for review such copies a copy of the Contracted Processors agreements Written Subcontract as Verint may request from time to time to enable Verint to verify compliance with Subprocessors this Section 6 (which copy may be redacted to remove confidential confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to time).
5.5 6.4 Vendor shall ensure that each Authorised Subprocessor performs the obligations under this DPA Sections 3, 4, 5, 6, 7.1, 8.1, 9 and 10.1, as they apply to Processing of Company Personal Protected Data carried out by that Authorised Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 2 contracts
Subprocessing. 5.1 Each Company Group Member authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with section 6 of this DPA to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor5.1. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (engage any Subprocessor or disclose any Company Personal Data toto any third party without Company’s prior specific written authorization. Vendor shall submit the request for specific authorization to Company (by email to ▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇) at least one month in advance of its engagement of a new Subprocessor. The request to engage a new Subprocessor should include (i) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation identity of the steps takennew Subprocessor, (ii) the location in which the Subprocessor would Process Company Personal Data, (iii) a description of the relevant Processing operations to be carried out by the Subprocessor, and (iv) any other information reasonably requested by Company.
5.4 With respect 5.2. To the extent that Company authorizes Vendor to engage a Subprocessor (“Authorized Subprocessor”):
(a) Vendor shall evaluate the security, privacy and confidentiality practices of each Subprocessor, Vendor shall:
5.4.1 before the Authorized Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure establish that the such Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreementthis DPA;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to time.
5.5 Vendor shall ensure that each Authorized Subprocessor performs is bound by a written agreement that, at a minimum, binds Authorized Subprocessor to the same data protection obligations as those applicable to Vendor under this DPA as they apply DPA. Such agreement must also include a third-party beneficiary clause whereby, in the event Vendor factually disappears, ceases to Processing of exist in law or becomes insolvent, Company shall have the right to terminate Vendor’s agreement with Authorized Subprocessor and instruct Authorized Subprocessor to destroy or return Company Personal Data carried to Company. Vendor shall be responsible for ensuring Authorized Subprocessors comply with the obligations in such agreements and Data Protection Laws;
(c) If Vendor transfers Company Personal Data to Authorized Subprocessor for Processing in a Third Country, Vendor shall utilize a transfer mechanism that complies with Data Protection Laws; and
(d) Vendor shall notify Company when its Authorized Subprocessor appoints a Subprocessor to Process Company Personal Data and comply with the requirements set out in this Section 5 of the DPA.
5.3. Upon request, Vendor shall provide (i) a list of Subprocessors to Company, and (ii) a copy of agreements with Subprocessors and any subsequent amendments thereto. Vendor may redact such agreements to the extent necessary to protect business secrets, other confidential information and Personal Data.
5.4. Vendor shall remain fully liable to Company for the performance of each Subprocessor’s obligations in accordance with this DPA. Vendor shall notify Company of any failure by that Subprocessor, as if it were party a Subprocessor to this DPA in place of Vendorfulfill its contractual obligations.
Appears in 2 contracts
Sources: Data Processing Agreement, Data Processing Agreement
Subprocessing. 5.1 6.1 Each Company Subscriber Group Member authorizes Vendor authorises eMudhra and each eMudhra Affiliate to appoint (,and permit each Subprocessor appointed in accordance with this section 6 of this DPA to appoint) , Subprocessors in accordance with this section 5 6 and any restrictions in the Principal Agreement.
5.2 Vendor 6.2 eMudhra and each eMudhra Affiliate may continue to use those Subprocessors already engaged by Vendor eMudhra or any eMudhra Affiliate as at the date of this DPAAddendum, subject to Vendor eMudhra and each eMudhra Affiliate in each case as soon as practicable meeting the obligations set out in section 5.46.4.
5.3 Vendor 6.3 eMudhra shall give Company prior Subscriber written notice or make publicly available on its website of the appointment of any new SubprocessorSubprocessor that will process Subscriber’s data, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar 7 days of receipt of that notice, Company notifies Vendor Subscriber notifies eMudhra in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor Neither eMudhra nor any eMudhra Affiliate shall not appoint (or disclose any Company Subscriber Personal Data to) the that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Subscriber Group Member and Company Subscriber has been provided with a reasonable written explanation of the steps taken.
5.4 6.4 With respect to each Subprocessor, Vendor eMudhra or the relevant eMudhra Affiliate shall:
5.4.1 6.4.1 before the Subprocessor first first Processes Company Subscriber Personal Data (or, where relevant, in accordance with section 5.26.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Subscriber Personal Data required by the Principal Agreement;
5.4.2 6.4.2 ensure that the arrangement between on the one hand (a) Vendor eMudhra, or (b) the relevant eMudhra Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Subscriber Personal Data as those set out in this DPA Addendum and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to time.
5.5 Vendor shall 6.4.3 if that arrangement involves a Restricted Transfer, ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that SubprocessorStandard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) eMudhra, as if it were party to this DPA in place of Vendor.or (b) the relevant eMudhra Affiliate, or
Appears in 2 contracts
Subprocessing. 5.1 Each Company Group Member authorizes Vendor (a) Customer acknowledges and agrees that JazzHR may engage Subprocessors in connection with the provision of the Services. A list of approved Subprocessors as of the Effective Date of this Addendum is located at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/subprocessor-list (the “Subprocessor List”). Customer may subscribe to appoint receive update alerts when changes are made to the Subprocessor List.
(and permit b) JazzHR will enter into a written agreement with each Subprocessor appointed containing data protection obligations, to the extent practicable, no less protective than those in accordance with section 6 this Addendum or as may otherwise be required by applicable Data Protection Laws and Regulations. JazzHR agrees to be responsible for the acts or omissions of this DPA each such Subprocessor to appoint) Subprocessors in accordance with this section 5 and any restrictions in the same extent as JazzHR would be liable if performing the services of such Sub-processor under the terms of the Agreement.
5.2 Vendor may continue to use those Subprocessors already (c) JazzHR will inform Customer of any new Subprocessor engaged during the term of the Agreement by Vendor as at updating the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice of Subprocessor List. If Customer reasonably believes that the appointment of any a new SubprocessorSubprocessor will have a material adverse effect on JazzHR’s ability to comply with applicable Data Protection Laws and Regulations as a Processor, including full details then Customer must notify JazzHR in writing, within 30 days following the update to the Subprocessor List, of its reasonable basis for such belief. Upon receipt of Customer’s written notice, Customer and JazzHR will work together without unreasonable delay on an alternative arrangement. If a mutually-agreed alternative arrangement is not found, and Customer has a termination right under applicable Data Protection Laws and Regulations, then those Services that cannot be provided without the use of the Processing to new Subprocessor may be undertaken terminated by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps takenCustomer without penalty.
5.4 With respect to each Subprocessor, Vendor shall(d) Notices and Consents:
5.4.1 before the Subprocessor first Processes Company Personal (i) General: Customer shall comply with all applicable Data (orProtection Laws and Regulations, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand including: (a) Vendor or providing all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and JazzHR’s, Processing and transfer of Personal Data; and (b) obtaining all necessary rights and valid consents from Data Subjects to permit Processing by JazzHR for the relevant intermediate Subprocessor; purposes of fulfilling JazzHR’s obligations, or as otherwise permitted, under the Agreement.
(ii) Sensitive Data: Customer’s use of the Services in connection with the distribution of Customer Data and/or Processing of sensitive Customer Data of a Data Subject (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation) must be in compliance with all applicable Data Protection Laws and on the other hand the SubprocessorRegulations, is governed by a written contract including terms which offer at least the same level of protection for Company obtaining express consent from Data Subjects whose Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide is provided to Company JazzHR for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to timeProcessing.
5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 1 contract
Sources: Data Processing Agreement
Subprocessing. 5.1 Each Company Group Member authorizes Vendor Supplier agrees that any third- party Subprocessor it appoints shall be bound to appoint (the same standard of data protection provided for by this Agreement; and permit each Subprocessor appointed that Supplier will enter into agreements accordingly with its applicable subprocessors to give appropriate effect to the requirements in accordance with section 6 of this DPA Controller agrees that Supplier may use any subprocessor listed in Annex B. Notwithstanding this, Controller consents to appointSupplier engaging new subprocessors (including the replacement of existing ones) Subprocessors in accordance with this section 5 and any restrictions in to process the Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as Personal Data, provided that: (i) Supplier provides at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company least 30 business days prior written notice of the appointment addition or replacement of any new Subprocessor, subprocessor (including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (processing it performs or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Subprocessor, Vendor shall:
5.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2will perform), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted given by provided details of such addition or replacement to remove confidential commercial information not relevant Controller; and (ii) Supplier imposes data protection terms on any subprocessor it appoints that protect the Personal Data to the requirements of same standard provided for by this DPA. If Controller refuses to consent to Supplier's appointment of a new third-party subprocessor, which should not be withheld unreasonably, then either Supplier will not appoint the subprocessor or Controller may elect to terminate the Agreement, provided that the Controller has substantial and documented reasons for objection to the change. Pemrosesan Lanjutan: Pemasok setuju bahwa Pemroses lanjutan pihak ketiga mana pun yang ditunjuknya harus terikat standar perlindungan data yang sama yang diatur di dalam Perjanjian ini; dan bahwa Pemasok akan mengikatkan diri ke dalam perjanjian-perjanjian sebagaimana mestinya dengan pemroses lanjutan yang berlaku untuk memberikan efek yang sesuai terhadap persyaratan dalam DPA ini, Pengendali setuju bahwa Pemasok dapat menggunakan pemroses lanjutannya sebagaimana tercantum dalam Lampiran B. Terlepas dari hal ini, Pengendali mengizinkan Pemasok melibatkan pemroses lanjutan baru (termasuk penggantian Pemroses lanjutan yang sudah ada) as Company may request from time to timeuntuk memproses Data Pribadi, dengan ketentuan bahwa: (i) Pemasok memberikan pemberitahuan penambahan atau penggantian pemroses lanjutan (termasuk rincian pemrosesan yang dilakukan atau akan dilakukan olehnya) selambat-lambatnya 30 hari kerja sebelumnya, yang dapat diberikan dengan menyediakan rincian penambahan atau penggantian tersebut kepada Pengendali; dan (ii) Pemasok menerapkan ketentuan perlindungan data kepada pemroses lanjutan yang ditunjuknya bahwa perlindungan Data Pribadi dilakukan sama seperti standar yang disediakan oleh DPA ini. Jika Pengendali menolak memberikan izin terhadap penunjukan pemroses lanjutan pihak ketiga yang baru oleh Pemasok, yang tidak boleh tidak diberikan dengan alasan yang tidak wajar, maka Pemasok tidak akan menunjuk pemroses lanjutan tersebut atau Pengendali dapat memilih mengakhiri Perjanjian, dengan ketentuan bahwa Pengendali memiliki alasan-alasan substansial dan terdokumentasi atas keberatan perubahan tersebut.
5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 1 contract
Sources: Data Processor Agreement
Subprocessing. 5.1 Each Company Group Member authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with section 6 of this DPA to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Subprocessor, Vendor shall:
5.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant Subject to the requirements of this DPA) as Company Section, Customer generally authorizes TaskRay to engage Subprocessors that TaskRay considers reasonably appropriate for the Processing of Customer Personal Data under this Addendum. A list of TaskRay’s Subprocessors, including their functions and locations, is available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/dpa-subprocessors and may request be updated by TaskRay from time to time.
5.5 Vendor shall ensure time in accordance with this Section. TaskRay will notify Customer of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement. Customer may object to such changes on reasonable data protection grounds by providing TaskRay written notice of such objection within the aforementioned ten (10) days period. Upon receiving such an objection, where practicable and at TaskRay’s sole discretion TaskRay will use commercially reasonable efforts to: (a) seek an alternative Subprocessor; (b) work with Customer in good faith to make available a commercially reasonable change in the provision of the Service which avoids the use of that each Subprocessor performs proposed Subprocessor; or (c) take corrective steps requested by Customer in its objection and proceed to use the obligations new Subprocessor. If TaskRay informs Customer that such change or corrective steps cannot be made, Customer may, as its sole and exclusive remedy available under this DPA as they apply Section, terminate the relevant portion of the Agreement involving the relevant aspect of the Service that requires the use of the proposed Subprocessor by providing written notice to Processing of Company Personal Data carried out by that TaskRay. When engaging any Subprocessor, as if it were party TaskRay will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those imposed upon TaskRay by this Addendum. TaskRay shall be liable for the acts and omissions of the Subprocessor to the extent TaskRay would be liable under the Agreement and this DPA in place of VendorAddendum.
Appears in 1 contract
Sources: Data Processing Addendum
Subprocessing. 5.1 Each Company Group Member authorizes Vendor Subscriber authorises Discovery Education to appoint (and permit each Subprocessor Sub-processor appointed in accordance with this section 6 of this DPA 5 to appoint) Subprocessors Sub-processors in accordance with this section 5 and any restrictions in the Agreement.
5.2 Vendor The Sub-processors for the Services used by Discovery Education are identified in Appendix 3 to the Standard Contractual Clauses attached hereto. Discovery Education may continue to use those Subprocessors Sub-processors, identified in Appendix 3, already engaged by Vendor Discovery Education as at of the date of this DPAAddendum, subject to Vendor Discovery Education in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor Discovery Education shall give Company Subscriber prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the SubprocessorSub-processor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor Subscriber shall notify Discovery Education in writing of any objections (on reasonable grounds) to the proposed appointment within ten (10) days after receipt of Discovery Education’s notice. In the event Subscriber objects to the appointment: Vendor shall , as permitted in the preceding sentence, Subscriber may terminate the applicable Order Form(s) with respect only to those Services that cannot appoint (or disclose any Company Personal Data to) be provided by Discovery Education without the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation use of the steps takenobjected-to new Sub-processor by providing written notice to Discovery Education. Discovery Education will refund Subscriber a pro-rated amount to reflect any prepaid Fees that cover the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services.
5.4 With respect to each SubprocessorSub-processor, Vendor Discovery Education shall:
5.4.1 before the Subprocessor first Sub-processor first Processes Company Personal Subscriber Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor Sub-processor is capable of providing the level of protection for Company Personal Subscriber Data required by the Agreement;; and
5.4.2 ensure that the arrangement between on Discovery Education and the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, Sub- processor is governed by a written contract including terms which offer at least the same level of protection for Company Personal Subscriber Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to timeAddendum.
5.5 Vendor Discovery Education shall ensure that each Subprocessor Sub-processor performs the obligations under this DPA Addendum as they apply to the Processing of Company Personal Subscriber Data carried out by that Subprocessor, as if it each Sub- processor were party to this DPA Addendum in place of VendorDiscovery Education.
Appears in 1 contract
Sources: Data Processing Addendum
Subprocessing. 5.1
6.1 Each Company Group Member authorizes authorises Vendor and each Vendor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section 6 of this DPA to appoint) Subprocessors in accordance with this section 5 6 and any restrictions in the Principal Agreement.
5.2 6.2 Vendor and each Vendor Affiliate may continue to use those Subprocessors already engaged by Vendor or any Vendor Affiliate as at the date of this DPAAddendum, subject to Vendor and each Vendor Affiliate in each case as soon as practicable meeting the obligations set out in section 5.4.6.4.
5.3 6.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar 30 days of receipt of that notice, Company notifies notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: :
6.3.1 Vendor shall work with Company in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
6.3.2 where such a change cannot appoint (or disclose any be made within 30 days from Vendor's receipt of Company's notice, notwithstanding anything in the Principal Agreement, Company Personal Data to) may by written notice to Vendor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps takenSubprocessor.
5.4 6.4 With respect to each Subprocessor, Vendor shall:or the relevant Vendor Affiliate shall:
5.4.1 6.4.1 before the Subprocessor first first Processes Company Personal Data (or, where relevant, in accordance with section 5.26.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Principal Agreement;
5.4.2 6.4.2 ensure that the arrangement between on the one hand (a) Vendor Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA Addendum and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request 6.4.3 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, or before the Subprocessor first Processes Company Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with the relevant Company Group Member(s) (and Company shall procure that each Company Affiliate party to any such Standard Contractual Clauses co-operates with their population and execution); and
6.4.4 provide to Company for review such copies of the Contracted Processors Processors' agreements with Subprocessors (which may be redacted to remove confidential confidential commercial information not relevant to the requirements of this DPAAddendum) as Company may request from time to time.
5.5 6.5 Vendor and each Vendor Affiliate shall ensure that each Subprocessor performs the obligations under this DPA sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA Addendum in place of Vendor.
Appears in 1 contract
Sources: Data Processing Agreement
Subprocessing. 5.1 Each Company Group Member authorizes Vendor (a) Customer acknowledges and agrees that JazzHR may engage Subprocessors in connection with the provision of the Services. A list of approved Subprocessors as of the Effective Date of this Addendum is located at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/subprocessorlist (the “Subprocessor List”). Customer may subscribe to appoint receive update alerts when changes are made to the Subprocessor List.
(and permit b) JazzHR will enter into a written agreement with each Subprocessor appointed containing data protection obligations, to the extent practicable, no less protective than those in accordance with section 6 this Addendum or as may otherwise be required by applicable Data Protection Laws and Regulations. JazzHR agrees to be responsible for the acts or omissions of this DPA each such Subprocessor to appoint) Subprocessors in accordance with this section 5 and any restrictions in the same extent as JazzHR would be liable if performing the services of such Subprocessor under the terms of the Agreement.
5.2 Vendor may continue to use those Subprocessors already (c) JazzHR will inform Customer of any new Subprocessor engaged during the term of the Agreement by Vendor as at updating the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice of Subprocessor List. If Customer reasonably believes that the appointment of any a new SubprocessorSubprocessor will have a material adverse effect on JazzHR’s ability to comply with applicable Data Protection Laws and Regulations as a Processor, including full details then Customer must notify JazzHR in writing, within 30 days following the update to the Subprocessor List, of its reasonable basis for such belief. Upon receipt of Customer’s written notice, Customer and JazzHR will work together without unreasonable delay on an alternative arrangement. If a mutuallyagreed alternative arrangement is not found, and Customer has a termination right under applicable Data Protection Laws and Regulations, then those Services that cannot be provided without the use of the Processing to new Subprocessor may be undertaken terminated by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps takenCustomer without penalty.
5.4 With respect to each Subprocessor, Vendor shall(d) Notices and Consents:
5.4.1 before the Subprocessor first Processes Company Personal (i) General: Customer shall comply with all applicable Data (orProtection Laws and Regulations, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand including: (a) Vendor or providing all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and JazzHR’s, Processing and transfer of Personal Data; and (b) obtaining all necessary rights and valid consents from Data Subjects to permit Processing by JazzHR for the relevant intermediate Subprocessor; purposes of fulfilling JazzHR’s obligations, or as otherwise permitted, under the Agreement.
(ii) Sensitive Data: Customer’s use of the Services in connection with the distribution of Customer Data and/or Processing of sensitive Customer Data of a Data Subject (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation) must be in compliance with all applicable Data Protection Laws and on the other hand the SubprocessorRegulations, is governed by a written contract including terms which offer at least the same level of protection for Company obtaining express consent from Data Subjects whose Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide is provided to Company JazzHR for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to timeProcessing.
5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 1 contract
Sources: Data Processing Addendum
Subprocessing. 5.1 Each 7.1 Subject to Section 7.3, the Service Provider is hereby authorized to engage other Processors in relation to the Processing of Company Group Member authorizes Vendor to appoint Personal Data under this DPA (and permit each Subprocessor appointed "SubProcessor") in accordance with section 6 and to the extent permitted by Data Protection Laws. As of this DPA to appoint) Subprocessors the date hereof, the Service Provider engages exclusively the SubProcessors listed in accordance with this section 5 and any restrictions in Exhibit C which the Agreement.
5.2 Vendor Service Provider may continue to use those Subprocessors already engaged by Vendor as at the date of this DPAuse, subject to Vendor in each case as soon as practicable meeting provided that the obligations set out in section 5.4Section 7.2 are met. The Service Provider shall at all times and without being so requested provide the Company with an up to date list of SubProcessors, detailing company name, address, contact details, the specific area of Processing operations outsourced and the location of the Processing.
5.3 Vendor 7.2 With respect to each SubProcessor, the Service Provider shall:
(a) before any Company Personal Data is transferred to the SubProcessor, carry out adequate due diligence to ensure that the SubProcessor is capable of (i) providing the level of protection for Company Personal Data required by this DPA, the Principal Agreement and Data Protection Laws and (ii) complying with the Standard Contractual Clauses adopted by the EU Commission or any other safeguards applied in relation to a Cross Border Transfer (as defined in Section 8.1 below) and, where required or appropriate, has taken supplementary effective measures to ensure an essentially equivalent level of protection;
(b) enter into a written agreement with the SubProcessor which imposes the same obligations on the SubProcessor in relation to the protection of Company Personal Data as are imposed on the Service Provider under this DPA;
(c) upon written request provide the Company with the Sub-contracting agreement and any other documentation reasonably requested by the Company (it being understood that the Service Provider shall be permitted to redact any confidential commercial terms which are and not required by the Company to assess compliance of the Service Provider with its obligations under this DPA); and
(d) conduct regular audits as required to ensure that the SubProcessor complies with the Data Security Standards and its other contractual obligations and shall promptly notify the Company in writing in accordance with Section 10 of any breach of a SubProcessor's obligations.
7.3 Service Provider shall give Company prior written notice of the appointment intended engagement of any new SubprocessorSubProcessor, including full details of the Processing to be undertaken by the SubprocessorSubProcessor. If, within 14 Calendar days three weeks of receipt of that notice, the Company notifies Vendor notifies Service Provider in writing of any objections (on reasonable grounds) grounds to the proposed appointment: Vendor , Service Provider shall not appoint (or disclose any Company Personal Data to) the that proposed Subprocessor SubProcessor until reasonable steps have been taken to address the objections raised by the Company.
7.4 In case of non-compliance of any Company Group Member and Company has been provided SubProcessor with a reasonable written explanation of the steps taken.its contractual obligations,
5.4 With respect to each Subprocessor, Vendor shall:
5.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor the Service Provider shall remain liable to the Company for any damages caused by such non-compliance and shall indemnify and hold harmless the Company against any claims or damages in connection with or resulting from the engagement of the SubProcessor; and
(b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide shall be entitled to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant withdraw its consent to the requirements engagement of this DPA) as Company may request from time to time.
5.5 Vendor such SubProcessor in which case the Service Provider shall promptly stop engaging such SubProcessor in connection with the Processing Services. The Service Provider shall ensure that each Subprocessor performs the SubProcessor promptly and fully complies with the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of VendorSection 12.
Appears in 1 contract
Sources: Construction Management Agreement
Subprocessing. 5.1 Each Company Group Member authorizes Vendor 1. By means of this Agreement, the Processor gives the Subprocessor a general written authorization to appoint engage another subprocessor for all or part of the processing under this Agreement.
2. It is agreed that any subprocessor of the Subprocessor listed under Appendix 2, is expressly authorized.
3. The Subprocessor shall inform the Processor of any intended changes concerning the addition or replacement of other subprocessors, thereby giving Processor the opportunity to object to such changes. If the Processor has substantive and legitimate reasons for opposing the specific subprocessor and notifies the Subprocessor of such objections in writing within the month after receipt of the Subprocessor’s notice relating to such subprocessor.
4. Where, with the general approval of the Processor as provided above, the Subprocessor makes any arrangement or contemplates having any Personal Data held under this Agreement transferred to and processed by a subprocessor, the following conditions will apply:
a) The Subprocessor shall do so only by way of a written agreement with the subprocessor which imposes essentially the same obligations on the subprocessor as are imposed on the Subprocessor under this Agreement, in particular the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the applicable requirements under applicable Data Protection Laws.
b) Where any Personal Data are or will be transferred outside of the EEA to a country not adducing an adequate level of data protection, EU Standard Contractual Clauses for subprocessors shall be entered into between the Subprocessor and the specific subprocessor (and permit each Subprocessor appointed under the appropriate module) or any other adequate data transfer mechanisms shall be put in place in accordance with section 6 applicable Data Protection Laws.
c) Where the subprocessor of this DPA the Subprocessor fails to appoint) Subprocessors in accordance with this section 5 and any restrictions fulfil its data protection obligations under such written agreement, the Subprocessor shall remain fully liable to the Processor for the performance of the subprocessor's obligations subject to the limitations of liability as agreed upon in the Services Agreement. Such limitation of liability will not be applicable in case of intent, gross negligence or fraud.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.
5.4 With respect to each Subprocessor, Vendor shall:
5.4.1 before the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to time.
5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 1 contract
Sources: Data Processing Agreement
Subprocessing. 5.1 Each Company Group Member authorizes Vendor Subscriber authorises Discovery Education to appoint (and permit each Subprocessor Sub-processor appointed in accordance with this section 6 of this DPA 5 to appoint) Subprocessors Sub-processors in accordance with this section 5 and any restrictions in the Agreement.
5.2 Vendor The Sub-processors for the Services used by Discovery Education are identified in Appendix 3 to the Standard Contractual Clauses attached hereto. Discovery Education may continue to use those Subprocessors Sub-processors, identified in Appendix 3, already engaged by Vendor Discovery Education as at of the date of this DPAAddendum, subject to Vendor Discovery Education in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor Discovery Education shall give Company Subscriber prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the SubprocessorSub-processor. If, within 14 Calendar days of receipt of that notice, Company notifies Vendor Subscriber shall notify Discovery Education in writing of any objections (on reasonable grounds) to the proposed appointment within ten (10) days after receipt of Discovery Education’s notice. In the event Subscriber objects to the appointment: Vendor shall , as permitted in the preceding sentence, Subscriber may terminate the applicable Order Form(s) with respect only to those Services that cannot appoint (or disclose any Company Personal Data to) be provided by Discovery Education without the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation use of the steps takenobjected-to new Sub-processor by providing written notice to Discovery Education. Discovery Education will refund Subscriber a pro-rated amount to reflect any prepaid Fees that cover the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services.
5.4 With respect to each SubprocessorSub-processor, Vendor Discovery Education shall:
5.4.1 before the Subprocessor first Sub-processor first Processes Company Personal Subscriber Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor Sub-processor is capable of providing the level of protection for Company Personal Subscriber Data required by the Agreement;; and
5.4.2 ensure that the arrangement between on Discovery Education and the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, Sub- processor is governed by a written contract including terms which offer at least the same level of protection for Company Personal Subscriber Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to timeAddendum.
5.5 Vendor Discovery Education shall ensure that each Subprocessor Sub-processor performs the obligations under this DPA Addendum as they apply to the Processing of Company Personal Subscriber Data carried out by that Subprocessor, as if it each Sub- processor were party to this DPA Addendum in place of VendorDiscovery Education. Where a Sub- processor fails to fulfil its data protection obligations, Discovery Education shall remain fully liable to Subscriber for the performance of such Sub-processor’s obligations.
Appears in 1 contract
Sources: Data Processing Addendum
Subprocessing. 5.1 Each Company Group Member authorizes Vendor 11.1 The Controller authorises the Processor to appoint (and permit permits each Subprocessor appointed in accordance with section 6 of this DPA clause 11 to appoint) Subprocessors strictly in accordance with this section 5 clause 11 and any restrictions in the Principal Agreement.
5.2 Vendor 11.2 The Processor may continue to use those Subprocessors already engaged by Vendor the Processor as at the date of this DPAAgreement, subject to Vendor in each case the Processor as soon as practicable meeting the obligations set out in section 5.4clause 11.4.
5.3 Vendor 11.3 The Processor shall give Company the Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar seven (7) days of receipt of that notice, Company notifies Vendor the Controller notifies the Processor in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor , the Processor shall not appoint (or nor disclose any Company Controller Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address except with the objections raised by any Company Group Member and Company has been provided with a reasonable prior written explanation consent of the steps takenController.
5.4 11.4 With respect to each Subprocessor, Vendor the Processor shall:
5.4.1 11.4.1 before the Subprocessor first Processes Company first processes Controller Personal Data (or, where relevant, in accordance with section 5.2)Data, carry out adequate due diligence in accordance with Good Industry Practice to ensure that the Subprocessor is capable of providing the level of protection for Company the Controller Personal Data required by the Principal Agreement;
5.4.2 11.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; Processor and on the other hand the Subprocessor, Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Company the Controller Personal Data as those set out in this DPA Agreement and meet the requirements of article 28(3) of the GDPR;; and
5.4.3 upon request 11.4.3 provide to Company the Controller for review such copies of the Contracted Processors Processors' agreements with Subprocessors (which may be redacted to remove confidential confidential commercial information not relevant to the requirements of this DPAAgreement) as Company the Controller may request from time to time.
5.5 Vendor 11.5 The Processor shall ensure that each Subprocessor performs the applicable obligations under this DPA Agreement, as they apply to Processing processing of Company Controller Personal Data carried out by that Subprocessor, as if it were party to this DPA Agreement in place of Vendorthe Processor.
11.6 The Processor shall be liable for any failure of the Subprocessor to comply with its obligations pursuant to clause 11.5, and shall fully indemnify and keep fully indemnified the Controller against any and all actions, costs, claims, demands, damages, expenses (including legal fees), liabilities, losses and proceedings in connection with any failure of the Subprocessor to comply with its obligations pursuant to clause 11.5.
Appears in 1 contract
Sources: Booking Agreement
Subprocessing. 5.1 Each Company Group The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member authorizes Vendor State in which the data exporter is established. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to appoint (Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority. The parties agree that on the termination of the provision of data-processing services, the data importer and permit each Subprocessor appointed in accordance with section 6 of this DPA to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as subprocessor shall, at the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3 Vendor shall give Company prior written notice choice of the appointment of any new Subprocessordata exporter, including full details return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the Processing to be undertaken by personal data transferred. In that case, the Subprocessor. If, within 14 Calendar days of receipt of data importer warrants that notice, Company notifies Vendor in writing of any objections (on reasonable grounds) to it will guarantee the proposed appointment: Vendor shall not appoint (or disclose any Company Personal Data to) the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation confidentiality of the steps taken.
5.4 With respect to each Subprocessor, Vendor shall:
5.4.1 before personal data transferred and will not actively process the Subprocessor first Processes Company Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure personal data transferred anymore. The data importer and the subprocessor warrant that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet the requirements of article 28(3) upon request of the GDPR;
5.4.3 upon request provide to Company for review such copies data exporter and/or of the Contracted Processors agreements with Subprocessors (which may be redacted supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to remove confidential commercial information not relevant to the requirements of this DPA) as Company may request from time to timein paragraph 1.
5.5 Vendor shall ensure that each Subprocessor performs the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of Vendor.
Appears in 1 contract
Sources: Data Processing Agreement
Subprocessing. 5.1 Each Company Group Member authorizes 7.1 Vendor to appoint (and permit each Subprocessor appointed in accordance with section 6 of this DPA to appoint) Vendor Affiliate shall not engage Subprocessors in accordance with this section 5 acting as a Company’s
7.2 Vendor and any restrictions in the Agreement.
5.2 each Vendor Affiliate may continue to use those Subprocessors already engaged by Vendor or any Vendor Affiliate as at the date of this DPAAddendum, subject to Vendor and each Vendor Affiliate in each case as soon as practicable meeting the obligations set out in section 5.47.4.
5.3 7.3 Vendor shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar 30 days of receipt of that notice, Company notifies notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment: :
7.3.1 Vendor shall work with Company in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
7.3.2 where such a change cannot appoint (or disclose any be made within 30 days from Vendor's receipt of Company's notice, notwithstanding anything in the Principal Agreement, Company Personal Data to) may by written notice to Vendor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Company Group Member and Company has been provided with a reasonable written explanation of the steps takenSubprocessor.
5.4 7.4 With respect to each Subprocessor, Vendor or the relevant Vendor Affiliate shall:
5.4.1 7.4.1 before the Subprocessor first first Processes Company Personal Data (or, where relevant, in accordance with section 5.27.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Principal Agreement;
5.4.2 7.4.2 ensure that the arrangement between on the one hand (a) Vendor Vendor, or (b) the relevant Vendor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this DPA Addendum and meet the requirements of article 28(3) of the GDPR;
5.4.3 upon request 7.4.3 provide to Company for review such copies of the Contracted Processors Processors' agreements with Subprocessors (which may be redacted to remove confidential confidential commercial information not relevant to the requirements of this DPAAddendum) as Company may request from time to time.
5.5 7.4.4 maintain an up-to-date list of Subprocessors (see Annex 4) specifying (i) their name and details, as well as (ii) the nature of the tasks entrusted to them, (iii) the location of the Processing and (iv) the dates of previous audits.
7.5 Vendor and each Vendor Affiliate shall ensure that each Subprocessor performs the obligations under this DPA sections 4.1, 5, 6.1.5, 8.1, 9, 10, 11 and 12.1, as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this DPA Addendum in place of Vendor. Vendor will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Vendor to breach any of Vendor’s obligations under this Addendum.
Appears in 1 contract
Sources: Data Processing Addendum
Subprocessing. 5.1 Each Company Group Member CUSTOMER authorizes Vendor GERBER and each GERBER Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section 6 of this DPA 5 to appoint) Subprocessors in accordance with this section 5 and 5, subject to any restrictions in the Principal Agreement, to conduct Processing described in clause 2.3.
5.2 Vendor GERBER and each GERBER Affiliate may continue to use those for the Processing of CUSTOMER Personal Data the Subprocessors which have been already engaged by Vendor GERBER or any GERBER Affiliate as at of the date of this DPA, subject to Vendor in each case as soon as practicable meeting the obligations set out in section 5.4Addendum.
5.3 Vendor GERBER shall give Company CUSTOMER prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 Calendar 10 days of receipt of that notice, Company notifies Vendor CUSTOMER notifies GERBER in writing of any objections (on reasonable grounds) to the proposed appointment: Vendor , neither GERBER nor any GERBER Affiliate shall not appoint (or nor disclose nor transfer any Company CUSTOMER Personal Data to) the proposed Subprocessor until reasonable steps have been taken except with the prior written consent of CUSTOMER. If CUSTOMER objects to address the objections raised appointment of a proposed Subprocessor then GERBER shall be entitled to either propose another Subprocessor or terminate the respective Service by any Company Group Member and Company has been provided with a reasonable written explanation of notice to the steps takenCUSTOMER.
5.4 With respect to each Subprocessor, Vendor GERBER or the relevant GERBER Affiliate shall:
5.4.1 before the Subprocessor first first Processes Company CUSTOMER Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company CUSTOMER Personal Data required by the AgreementPrincipal Agreement and this Addendum;
5.4.2 ensure that the arrangement between on the one hand (a) Vendor GERBER, or (b) the relevant GERBER Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which that offer at least the same level of protection for Company CUSTOMER Personal Data as those set out in this DPA Addendum and meet the requirements of article 28(3) of the GDPR;; and
5.4.3 upon request provide to Company for review such copies of the Contracted Processors agreements with Subprocessors if that arrangement involves a Restricted Transfer, (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPAa) as Company may request from time to time.
5.5 Vendor shall ensure that each Subprocessor performs Standard Contractual Clauses are at all relevant times properly incorporated into the obligations under this DPA as they apply to Processing of Company Personal Data carried out by that agreement between GERBER or the relevant GERBER Affiliate and the Subprocessor, as if it were party or (b) before the Subprocessor first Processes CUSTOMER Personal Data, require the Subprocessor to this DPA in place of Vendorenter into an agreement with CUSTOMER that incorporates the Standard Contractual Clauses.
Appears in 1 contract
Sources: Data Processing Addendum