Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: (a) report to the other Party every [enter number] months on: (i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); (ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; (iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; (iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and (v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; (b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); (c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; (d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; (e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; (f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; (g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel: (i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information (ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; (iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; (h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and (i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event. 2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 145 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 96 contracts
Sources: G Cloud 13 Call Off Contract, G Cloud 13 Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) : report to the other Party every [enter insert number] months on:
(i) : the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) ; take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnel:
(i) Personnel: are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) Information are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ; ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Data Loss Event;
(iii) ; state of technological development; and
(iv) and cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 23 contracts
Sources: G Cloud 13 Call Off Contract, G Cloud 13 Call Off Contract, G Cloud 13 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
(k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 13 contracts
Sources: Call Off Contract, G Cloud 14 Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 10 contracts
Sources: G Cloud 14 Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiClauses
2.1 (a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 7 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
(k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non- transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 6 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
; (iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 5 contracts
Sources: Call Off Contract, Call Off Contract, G Cloud Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 5 contracts
Sources: Framework Agreement, Framework Agreement, Framework Agreement
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
Information (ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 4 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) : report to the other Party every [enter number] months on:
(i) : the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) ; take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) : are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) Information are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ; ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Data Loss Event;
(iii) ; state of technological development; and
(iv) and cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 3 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 3 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
Information (ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 2 contracts
Sources: Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) : report to the other Party every [enter numberx] months on:
(i) : the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take ; use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnel:
(i) Personnel: are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; and have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ; ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Personal Data Loss Event;
(iii) Breach; state of technological development; and
(iv) and cost of implementing any measures;
(i) ; ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) and ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach. where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled: the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the EU GDPR; or the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 2 contracts
Sources: Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 2 contracts
Sources: Order Form, Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 12 months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 2 contracts
Sources: Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 3 months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 2 contracts
Sources: Call Off Contract, Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 12 months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberX] months month on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;.
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;.
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;.
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;.
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;.
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;.
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;.
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information.
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;.
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any toany request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) 2.1.1 report to the other Party every [enter numberx] months on:
(i) 2.1.1.1 the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) 2.1.1.2 the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) 2.1.1.3 any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) 2.1.1.4 any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) 2.1.1.5 any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) 2.1.2 notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) Paragraphs 2.1.1.1 to (v)2.1.1.5 of this Part B Joint Controller Agreement of Annex 1 – Processing Personal Data;
(c) 2.1.3 provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) Paragraphs 1.2 and 2.1.1.3 to
2.1.1. 5 of this Part B Joint Controller Agreement of Annex 1 – Processing Personal Data; to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) 2.1.4 not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annexof this of this Part B Joint Controller Agreement of Annex 1 – Processing Personal Data;
(e) 2.1.5 request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) 2.1.6 ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps 2.1.7 use best endeavours to ensure the reliability and integrity of any of its personnel Processor Personnel who have access to the Personal Data and ensure that its personnelProcessor Personnel:
(i) 2.1.7.1 are aware of and comply with their ’s duties under this Annex 2 (of this Part B Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data; and those in respect of Confidential Information
(ii) 2.1.7.2 are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) 2.1.7.3 have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) 2.1.8 ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) 2.1.9 ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.;
2.2 2.1.10 not transfer such Personal Data outside of the UK and/or the EEA unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
2.1.10.1 the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74A and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
2.1.10.2 the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75 and/or the transfer is in accordance with Article 46 of the EU GDPR (where applicable)) as agreed with the non-transferring Party which could include the relevant parties entering into:
(a) Where the transfer is subject to the UK GDPR:
(i) The UK International Data Transfer Agreement (the “IDTA”), as published by the Information Commissioner’s office under section 119A(1) of the DPA 2018 from time to time; or
(ii) the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time and/or;
(b) Where the transfer is subject to the EU GDPR, the EU SCCs, as well as any additional measures determined by the non-transferring Party being implemented by the importing Party;
2.1.10.3 the Data Subject has enforceable rights and effective legal remedies;
2.1.10.4 the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
2.1.10.5 the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data;
2.1.11 Each Joint Controller shall use its reasonable best endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Short Form Contract for the Supply of Goods and/or Services
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] four months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 2 months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 3 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Per ▇▇▇▇▇ Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint complain t or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall shal l not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) ; take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) : are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) Information are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 (1) The Supplier and the Buyer Relevant Authority each undertake that they shall:
(ai) report to the other Party every [enter numberx] months on:
(i1) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii2) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii3) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv4) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v5) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(bii) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(ciii) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(div) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(ev) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(fvi) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(gvii) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i1) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii2) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii3) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(hviii) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i1) nature of the data to be protected;
(ii2) harm that might result from a Personal Data Loss EventBreach;
(iii3) state of technological development; and
(iv4) cost of implementing any measures;
(iix) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(iand x) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (2) Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 Each Joint Controller shall use its reasonable endeavours to assist (i) processing of the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligationsPersonal Data.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(i) to (v)) of this Error! Reference source not found. of Annex 1 – Processing Personal Data;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(iii) to (v) of this Error! Reference source not found. of Annex 1 – Processing Personal Data; to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annexof this of this Error! Reference source not found. of Annex 1 – Processing Personal Data;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Processor Personnel who have access to the Personal Data and ensure that its personnelProcessor Personnel:
(i) are aware of and comply with their ’s duties under this of this Error! Reference source not found. of Annex 2 (Joint Controller Agreement) 1 – Processing Personal Data; and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach;
(j) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include the relevant parties entering into International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(k) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the Processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Terms and Conditions
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;Law,
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(i) to (v)) of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;in
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annexof this of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Processor Personnel who have access to the Personal Data and ensure that its personnelProcessor Personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (of this Part B – Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data; and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; andat
(i) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach;
(j) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include the relevant parties entering into International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(k) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the Processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 1.1.1.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 1 months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Data Loss Event;
(iii) ; state of technological development; and
(iv) and cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) and ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 12 Framework Agreement
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months 1 month or until the expiry of this agreement, on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller C ontroller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects Subject s (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 13 Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under und er the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holdsit hold s; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer Customer each undertake that they shall:
(a) 2.1.1 report to the other Party every [enter number] 3 months on:
(ia) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(iib) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iiic) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(ivd) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(ve) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) 2.1.2 notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(iParagraphs 2.1.1(a) to (ve);
(c) 2.1.3 provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiParagraphs 2.1.1(c) to (ve) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) 2.1.4 not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) 2.1.5 request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) 2.1.6 ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take 2.1.7 use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(ia) are aware of and comply with their ’s duties under this Annex 2 Schedule 8 (Joint Controller Agreement) and those in respect of Confidential Information;
(iib) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iiic) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) 2.1.8 ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(ia) nature of the data to be protected;
(iib) harm that might result from a Personal Data Loss EventBreach;
(iiic) state of technological development; and
(ivd) cost of implementing any measures;
(i) 2.1.9 ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) 2.1.10 ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach;
2.1.11 where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
c) the Data Subject has enforceable rights and effective legal remedies;
d) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
e) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
2.1.12 where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of non-transferring Party has been obtained and the following conditions are fulfilled:
a) the transfer is in accordance with Article 45 of the EU GDPR; or
b) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU as well as any additional measures;
c) the Data Subject has enforceable rights and effective legal remedies;
d) the transferring Party complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
e) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Contract Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number3] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] three months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 1.1.1.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.1.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] three months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiClauses
2.1 (a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer Authority each undertake that they shall:
(a) (a) report to the other Party every [enter number] months on:quarterly (on dates to align with the
(i) the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, ; that it has received in relation to the subject matter of the Contract Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(i) to (va)(v);; and
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiParagraphs 2.1(a)(i) to (va)(v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;.
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract this Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party). For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;Annex 1 (Joint Controller Agreement).
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;.
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 1 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;.
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex 1 (Joint Controller Agreement) in such a way as to cause the other Joint Controller to breach any of its its’ obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Recruitment Services Agreement
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;,
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(i) to (v)) of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(iii) to (v) of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data; to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annexof this of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Processor Personnel who have access to the Personal Data and ensure that its personnelProcessor Personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (of this Part B – Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data; and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach;
(j) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include the relevant parties entering into International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(k) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the Processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] two months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiClauses
2.1 (a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months month on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(and v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior that disclosure or transfer of Personal Data is otherwise considered to disclosing or transferring the be lawful processing of that Personal Data to the third party▇▇▇▇▇.▇▇ accordance with Article 6 of the UK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event EventBreach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventEventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventEventBreach.
(k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non- transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] number months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
(k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual ▇▇▇▇▇▇▇ as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party). For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Data Sharing Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection LegislationLaw;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(iii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Framework Agreement
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) : report to the other Party every [enter number] 24 months on:
(i) : the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) ; take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnel:
(i) Personnel: are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) Information are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ; ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Data Loss Event;
(iii) ; state of technological development; and
(iv) and cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties.
2.1 The Supplier and the Buyer each undertake that they shall:
(a) 2.1.1 report to the other Party every [enter numberx] months on:
(i) 2.1.1.1 the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);behalf);
(ii) 2.1.1.2 the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) 2.1.1.3 any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;Legislation;
(iv) 2.1.1.4 any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) 2.1.1.5 any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, Law, that it has received in relation to the subject matter of the Contract during that period;
(b) 2.1.2 notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(iParagraphs 2.1.1.1 to 2.1.1.5 of this Part B Joint Controller Agreement (Optional)Joint Controller Agreement (Optional) to (v)of Annex 1 – Processing Personal Data;
(c) 2.1.3 provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiParagraphs 1.2 and 2.1.1.3 to 2.1.1.5 of this Part B Joint Controller Agreement (Optional)Joint Controller Agreement (Optional) to (v) of Annex 1 – Processing Personal Data; to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) 2.1.4 not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annexof this of this Part B Joint Controller Agreement (Optional)Joint Controller Agreement (Optional) of Annex 1 – Processing Personal Data;
(e) 2.1.5 request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) 2.1.6 ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all 2.1.7 use bestall reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Processor Personnel who have access to the Personal Data and ensure that its personnelProcessor Personnel:
(i) 2.1.7.1 are aware of and comply with their ’s duties under this Annex 2 (of this Part B Joint Controller AgreementAgreement (Optional)Joint Controller Agreement (Optional) of Annex 1 – Processing Personal Data; and those in respect of Confidential Information
(ii) 2.1.7.2 are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) 2.1.7.3 have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) 2.1.8 ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) 2.1.9 ensure that it notifies the other Party as soon as it becomes aware of a Personal Data BreachData Loss Event.;
2.2 Each Joint Controller shall use its reasonable endeavours 2.1.10 where the Personal Data is subject to assist UK GDPR, not transfer such Personal Data outside of the other Controller to comply UK and/or the EEA unless the prior written consent of the non- transferring Party has been obtained and the following conditions are fulfilled:
2.1.10.1 the transfer is in accordance with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex Article 45 of the UK GDPR or DPA 2018 Section 74A and/or the transfer is in such a way as to cause accordance with Article 45 of the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation EU GDPR (where applicable)3; or
2.1.10.2 the transferring Party has provided appropriate safeguards in relation to the extent it transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75 and/or the transfer is awarein accordance with Article 46 of the EU GDPR (where applicable)) as agreed with the non-transferring Party which could include the relevant parties entering into:
(a) Where the transfer is subject to the UK GDPR:
(i) The UK International Data Transfer Agreement (the “IDTA”), or ought reasonably International Data Transfer Agreement Addendum to have been awarethe European Commission’s SCCs (the “Addendum”), that as published by the same would be a breach Information Commissioner’s office under section 119A(1) of the DPA 2018 from time to time; or
(ii) the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such obligationsStandard Contractual Clauses as are published by the European Commission from time to time (“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time and/or;
(b) Where the transfer is subject to the EU GDPR, the EU SCCs,
Appears in 1 contract
Sources: Short Form Contract for the Supply of Goods and/or Services
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter number3] months on: Framework Ref:RM6187 Model Version: v 3.2 87
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Framework Ref:RM6187 Model Version: v 3.2 88 Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) i. nature of the data to be protected;
(ii) . harm that might result from a Data Loss Event;
(iii) . state of technological development; and
(iv) . cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter number] months 1 month on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(iii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligationsBreach;
Appears in 1 contract
Sources: Order Form
Undertakings of both Parties. 2.1 1.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(iii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Framework Agreement
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 Each Joint Controller shall use (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its reasonable obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the other Controller to comply non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any obligations under applicable reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data Protection Legislation is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and shall not perform the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under this Annex EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non- transferring Party in such a way as meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to cause it in advance by the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation non-transferring Party with respect to the extent it is aware, or ought reasonably to have been aware, that processing of the same would be a breach of such obligationsPersonal Data.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] 12 months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
(k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the nontransferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] six (6) months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 13 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.1 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] two months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberinsert number 3] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 13 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter number] months as reasonably requested on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer Relevant Authority each undertake that they shall:
(a) report to the other Party every [enter number] months month on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiClauses
2.1 (a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
Information (ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) : the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) ; the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) ; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) ; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) ; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) ; provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) ; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) ; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take ; use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnel:
(i) Personnel: are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) ; are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) ; and have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ; ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Personal Data Loss Event;
(iii) Breach; state of technological development; and
(iv) and cost of implementing any measures;
(i) ; ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) and ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss Event.
2.2 Each Joint Controller shall use Breach. where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled: the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its reasonable obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the other Controller to comply non-transferring Party in meeting its obligations); and the transferring Party complies with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex reasonable instructions notified to it in such a way as to cause advance by the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation non-transferring Party with respect to the extent it is aware, or ought reasonably to have been aware, that processing of the same would be a breach of such obligationsPersonal Data; and
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) handle and report to the other Party every [enter number] months on:these on a case by case basis.
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) : nature of the data to be protected;
(ii) ; harm that might result from a Data Loss Event;
(iii) ; state of technological development; and
(iv) and cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) and ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 13 Framework Agreement
Undertakings of both Parties. 2.1 1.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter numberx] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: G Cloud 14 Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s 's obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s 's duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number3] months on:
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer CCS each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: G Cloud 13 Framework Agreement
Undertakings of both Parties. 2.1 1.1.2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] months Quarter on:: July 2025
(i) the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract Framework Agreement during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract Framework Agreement or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take use all reasonable steps endeavours to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information;
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;; and
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Loss Event Breach having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Personal Data Loss EventBreach;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(ij) ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Loss EventBreach.
2.2 (k) where the Personal Data is subject to UK GDPR, not transfer such Personal Data outside of the UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR or DPA 2018 Section 74; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include relevant parties entering into the International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (“the Addendum”), as published by the Information Commissioner’s Office from time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(l) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
1.1.2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] two months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel who have access to the Personal Data and ensure that its personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (( Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter number] three months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall:
(a) report to the other Party every [enter insert number] months on:
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v);
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data;
(g) take all reasonable steps to ensure the reliability and integrity of any of its personnel Personnel who have access to the Personal Data and ensure that its personnelPersonnel:
(i) are aware of and comply with their ’s duties under this Annex ▇▇▇▇▇ 2 (Joint Controller Agreement) and those in respect of Confidential Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier it holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Sources: Call Off Contract