Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data. (b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including: (i) a systematic description of the expected processing and its purpose; (ii) the necessity and proportionality of the processing operations; (iii) the risks to the rights and freedoms of Data Subjects; and (iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data. (c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. (d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller. (e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it. (f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Processor's duties under this clause 14; (ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor; (iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data. (g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies when transferred; (iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data. (h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the transfer is in accordance with Article 45 of the EU GDPR; or (i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data. (j) The Processor must notify the Controller immediately if it: (i) receives a Data Subject Access Request (or purported Data Subject Access Request); (ii) receives a request to rectify, block or erase any Personal Data; (iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; (v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and (vi) becomes aware of a Data Loss Event. (k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available. (i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller: (ii) full details and copies of the complaint, communication or request; (iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation; (iv) any Personal Data it holds in relation to a Data Subject on request; (v) assistance that it requests following any Data Loss Event; and (vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority. (l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing: (i) is not occasional; (ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or (iii) is likely to result in a risk to the rights and freedoms of Data Subjects. (m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. (n) Before allowing any Subprocessor to process any Personal Data, the Processor must: (i) notify the Controller in writing of the intended Subprocessor and processing; (ii) obtain the written consent of the Controller; (iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and (iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires. (o) The Processor remains fully liable for all acts or omissions of any Subprocessor. (p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract). (q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 4 contracts
Sources: Short Form Contract for the Supply of Goods and/or Services, Supply of Goods and/or Services Contract, Contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
and (vi) assistance vi)assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 4 contracts
Sources: Supply of Services Contract, Order Form, Short Form Contract for the Supply of Goods and/or Services
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must the only process Personal Data if processing that the Processor is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR and EU GDPR (as applicable). The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) which may include, at the discretion of the Controller: a systematic description of the expected processing and its purpose;
(ii) ; the necessity and proportionality of the processing operations;
(iii) ; the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) . The Processor must notify must, in in relation to any Personal Data processed under this Contract: process that Personal Data only in accordance with Part A Authorised Processing Template of Annex 1 – Processing Personal Data unless the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures is required to protect against a Data Loss Event which must be approved do otherwise by the Controller.
(e) Law. If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
. put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller. Ensure that: the Processor Personnel do not process Personal Data except in accordance with this Contract (f) The Processor must use all reasonable and in particular Part A Authorised Processing Template of Annex 1 – Processing Personal Data); it uses best endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's duties under this clause 14;
(ii) ; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, . the Processor must not transfer Personal Data outside of the UK and/or the EEA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 74A of DPA 2018) and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
(ii) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) and/or the transfer is in accordance with Article 46 of the EU GDPR (where applicable) as determined by the Controller which could include relevant parties entering into into: where the transfer is subject to UK GDPR: the International Data Transfer Agreement (the "“IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"”), as published by the Information Commissioner's Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller;
; the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (iii“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs, as well as any additional measures determined by the Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) ; the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) and the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where . The Processor must at the written direction of the Controller, delete or return Personal Data is subject (and any copies of it) to EU GDPR, the Controller on termination of the Contract unless the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation required by Law to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of retain the Personal Data.
(j) . The Processor must notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) and becomes aware of a Data Loss Event.
(k) . Any requirement to notify under clause (j) 14.9.6 includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 3 contracts
Sources: Short Form Contract, Short Form Contract, Short Form Contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected processing envisaged Processing and its purpose;
(ii) the purpose of the Processing; an assessment of the necessity and proportionality of the processing operations;
(iii) Processing in relation to the Solution; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must notify shall, in relation to any Personal Data Processed in connection with its obligations under this Agreementt: Process that Personal Data only in accordance with Annex 1 (Processing Personal Data), unless the Controller immediately if Processor is required to do otherwise by Law. If it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controlleris so required, the Processor must shall promptly notify the Controller if before Processing the Personal Data unless prohibited by Law; ensure that it has in place appropriate technical and organisational measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the technical and organisational measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Breach; state of technological development; and cost of implementing any measures; ensure that: the Processor is otherwise required to process Personnel do not Process Personal Data by Law before processing it.
except in accordance with this Agreement (f) The Processor must use and in particular Annex 1 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) they are: are aware of and comply with the Processor's ’s duties under this clause 14;
Fourth Schedule and Clause 24 (ii) Confidential Information); are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contractthis Agreement; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) : the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 of the EU GDPR or LED Article 37) as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) ; the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing Processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of this Agreement unless the Processor must is required by Law to retain the Personal Data. Subject to paragraph 7 of this Fourth Schedule, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with this Agreement it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed Processed under this Contract;
(v) Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Data Loss Event.
(k) Any requirement Breach. The Processor’s obligation to notify under clause (j) includes paragraph 6 of this Fourth Schedule shall include the provision of further information to the Controller in stages phases, as details become available.
(i) The . Taking into account the nature of the Processing, the Processor must promptly shall provide the Controller with full reasonable assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause paragraph 6 of this Fourth Schedule (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by promptly providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Data Loss EventBreach; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Fourth Schedule. This requirement does not apply where the The Processor employs fewer than 250 staff, unless either shall allow for audits of its Processing activity by the Controller determines that or the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process Process any Personal DataData related to this Agreement, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) Processing; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so which give effect to the terms set out in this Fourth Schedule such that this clause 14 applies they apply to the Subprocessor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Subprocessors. The End User may, at any time the Buyer can, with on not less than 30 Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Fourth Schedule by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contractthis Agreement).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. The End User may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 3 contracts
Sources: Call Off Contract, Call Off Contract, Call Off Contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template Error! Reference source not found. of Annex 1 – Processing Personal Data Error! Reference source not found. by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template Error! Reference source not found. of Annex 1 – Processing Personal Data.Error! Reference source not found..
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
and (vi) assistance vi)assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 2 contracts
Sources: Supply of Goods and/or Services Contract, Terms and Conditions
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected processing envisaged Processing and its purpose;
(ii) the purpose of the Processing; an assessment of the necessity and proportionality of the processing operations;
(iii) Processing in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must notify shall, in relation to any Personal Data Processed in connection with its obligations under the Controller immediately if it thinks the Controller's instructions breach the Call Off Contract: Process that Personal Data Protection Legislation.
only in accordance with Annex 1 (d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the ControllerProcessing Personal Data), unless the Processor must is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller if before Processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, including in the case of the Supplier the measures set out in Clause 34.6 of the Call Off Contract, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor is otherwise required to process Personnel do not Process Personal Data by Law before processing it.
except in accordance with the Call Off Contract (f) The Processor must use and in particular Annex 1 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
Schedule 16 and Clause 34.6 (ii) Data protection); are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Call Off Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) : the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 of the EU GDPR or LED Article 37) as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) ; the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing Processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Call Off Contract unless the Processor must is required by Law to retain the Personal Data. Subject to paragraph 7 of this Schedule 16, the Processor shall notify the Controller immediately if it:
(i) receives a in relation to it Processing Personal Data Subject Access Request (under or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the ControllerCall Off Contract it:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 2 contracts
Sources: Call Off Contract, Call Off Contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must the only process Personal Data if processing that the Processor is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR and EU GDPR (as applicable). The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) which may include, at the discretion of the Controller: a systematic description of the expected processing and its purpose;
(ii) ; the necessity and proportionality of the processing operations;
(iii) ; the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) . The Processor must notify must, in in relation to any Personal Data processed under this Contract: process that Personal Data only in accordance with Part A Authorised Processing Template of Annex 1 – Processing Personal Data unless the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures is required to protect against a Data Loss Event which must be approved do otherwise by the Controller.
(e) Law. If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
. put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller. Ensure that: the Processor Personnel do not process Personal Data except in accordance with this Contract (f) The Processor must use all reasonable and in particular Part A Authorised Processing Template of Annex 1 – Processing Personal Data); it uses best endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's duties under this clause 14;
(ii) 0; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, . the Processor must not transfer Personal Data outside of the UK and/or the EEA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 74A of DPA 2018) and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
(ii) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) and/or the transfer is in accordance with Article 46 of the EU GDPR (where applicable) as determined by the Controller which could include relevant parties entering into into: where the transfer is subject to UK GDPR: the International Data Transfer Agreement (the "“IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"”), as published by the Information Commissioner's Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller;
; the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (iii“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs, as well as any additional measures determined by the Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) ; the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) and the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where . The Processor must at the written direction of the Controller, delete or return Personal Data is subject (and any copies of it) to EU GDPR, the Controller on termination of the Contract unless the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation required by Law to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of retain the Personal Data.
(j) . The Processor must notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) and becomes aware of a Data Loss Event.
(k) . Any requirement to notify under clause (j) 0 includes the provision of further information to the Controller in stages as details become available.
(i) . The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j)0. This includes giving the Controller:
(ii) : full details and copies of the complaint, communication or request;
(iii) ; reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) ; any Personal Data it holds in relation to a Data Subject on request;
(v) ; assistance that it requests following any Data Loss Event; and
(vi) and assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) . The Processor must maintain full, accurate records and information to show it complies with this clause 140. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) : is not occasional;
(ii) ; includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract with the Subprocessor so that this clause 14 0 applies to the Subprocessor; and
(iv) and provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) . The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 2 contracts
Sources: Short Form Contract for the Supply of Goods and/or Services, Short Form Contract for the Supply of Goods and/or Services
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.into
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Order Form
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must the only process Personal Data if processing that the Processor is authorised to do so is listed in Part A - Authorised Processing Template Error! Reference source not found. Error! Reference source not found. of REF _Ref140666078 \h Annex 1 – Processing Personal Data Not Used by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR and EU GDPR (as applicable). The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) which may include, at the discretion of the Controller: a systematic description of the expected processing and its purpose;
(ii) ; the necessity and proportionality of the processing operations;
(iii) ; the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) . The Processor must notify must, in in relation to any Personal Data processed under this Contract: process that Personal Data only in accordance with Error! Reference source n ot found. Error! Reference source not found. of Annex 1 – Not Used unless the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures is required to protect against a Data Loss Event which must be approved do otherwise by the Controller.
(e) Law. If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
. put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller. Ensure that: the Processor Personnel do not process Personal Data except in accordance with this Contract (f) The Processor must use all reasonable and in particular Error! Reference s ource not found. Error! Reference source not found. of Annex 1 – Not Used); it uses best endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's duties under this clause 14;
(ii) 0; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, . the Processor must not transfer Personal Data outside of the UK and/or the EEA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 74A of DPA 2018) and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
(ii) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) and/or the transfer is in accordance with Article 46 of the EU GDPR (where applicable) as determined by the Controller which could include relevant parties entering into into: where the transfer is subject to UK GDPR: the International Data Transfer Agreement (the "“IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"”), as published by the Information Commissioner's Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller;
; the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (iii“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs, as well as any additional measures determined by the Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) ; the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) and the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where . The Processor must at the written direction of the Controller, delete or return Personal Data is subject (and any copies of it) to EU GDPR, the Controller on termination of the Contract unless the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation required by Law to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of retain the Personal Data.
(j) . The Processor must notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) and becomes aware of a Data Loss Event.
(k) . Any requirement to notify under clause (j) 0 includes the provision of further information to the Controller in stages as details become available.
(i) . The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j)0. This includes giving the Controller:
(ii) : full details and copies of the complaint, communication or request;
(iii) ; reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) ; any Personal Data it holds in relation to a Data Subject on request;
(v) ; assistance that it requests following any Data Loss Event; and
(vi) and assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) . The Processor must maintain full, accurate records and information to show it complies with this clause 140. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) : is not occasional;
(ii) ; includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract with the Subprocessor so that this clause 14 0 applies to the Subprocessor; and
(iv) and provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) . The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must the only process Personal Data if processing that the Processor is authorised to do so is listed in Part A - Authorised Processing Template Error! Reference source not found. Error! Reference source not found. of REF _Ref140666078 \h Annex 1 – Processing Personal Data by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR and EU GDPR (as applicable). The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) which may include, at the discretion of the Controller: a systematic description of the expected processing and its purpose;
(ii) ; the necessity and proportionality of the processing operations;
(iii) ; the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) . The Processor must notify must, in in relation to any Personal Data processed under this Contract: process that Personal Data only in accordance with Error! Reference source n ot found. Error! Reference source not found. of Annex 1 – Processing Personal Data unless the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures is required to protect against a Data Loss Event which must be approved do otherwise by the Controller.
(e) Law. If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
. put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller. Ensure that: the Processor Personnel do not process Personal Data except in accordance with this Contract (f) The Processor must use all reasonable and in particular Error! Reference s ource not found. Error! Reference source not found. of Annex 1 – Processing Personal Data); it uses best endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's duties under this clause 14;
(ii) 0; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, . the Processor must not transfer Personal Data outside of the UK and/or the EEA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 74A of DPA 2018) and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
(ii) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) and/or the transfer is in accordance with Article 46 of the EU GDPR (where applicable) as determined by the Controller which could include relevant parties entering into into: where the transfer is subject to UK GDPR: the International Data Transfer Agreement (the "“IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"”), as published by the Information Commissioner's Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller;
; the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time (iii“EU SCCs”), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the “Addendum”) as published by the Information Commissioner's Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs, as well as any additional measures determined by the Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) ; the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) and the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where . The Processor must at the written direction of the Controller, delete or return Personal Data is subject (and any copies of it) to EU GDPR, the Controller on termination of the Contract unless the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation required by Law to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of retain the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) . receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) and becomes aware of a Data Loss Event.
(k) . Any requirement to notify under clause (j) 0 includes the provision of further information to the Controller in stages as details become available.
(i) . The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j)0. This includes giving the Controller:
(ii) : full details and copies of the complaint, communication or request;
(iii) ; reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) ; any Personal Data it holds in relation to a Data Subject on request;
(v) ; assistance that it requests following any Data Loss Event; and
(vi) and assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) . The Processor must maintain full, accurate records and information to show it complies with this clause 140. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) : is not occasional;
(ii) ; includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract with the Subprocessor so that this clause 14 0 applies to the Subprocessor; and
(iv) and provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) . The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Short Form Contract for the Supply of Goods and/or Services
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only Processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected processing envisaged Processing and its purpose;
(ii) the purpose of the Processing; an assessment of the necessity and proportionality of the processing operations;
(iii) Processing in relation to the Deliverables; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data Processed in connection with its obligations under the Contract: Process that Personal Data only in accordance with Annex 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall notify the Controller immediately if before Processing the Personal Data unless prohibited by Law; ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Supplier the measures set out in Clause 14.3 of the Core Terms, which the Controller may reasonably reject (but failure to protect against a Data Loss Event which must be approved reject shall not amount to approval by the Controller.
(eController of the adequacy of the Protective Measures) If lawful having taken account of the: nature of the data to notify the Controller, be protected; harm that might result from a Personal Data Breach; state of technological development; and cost of implementing any measures; ensure that : the Processor must promptly notify the Controller if the Processor is otherwise required to process Personnel do not Process Personal Data by Law before processing it.
except in accordance with the Contract (f) The Processor must use and in particular Annex 1 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
Joint Schedule 11, Clauses 14 (iiData protection), 15 (What you must keep confidential) and 16 (When you can share information) of the Core Terms; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must ; not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "“IDTA"”), or International Data Transfer Agreement Addendum to the European Commission's ’s SCCs (the "“Addendum"”), as published by the Information Commissioner's ’s Office from time to time time, as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the Processing of the Personal Data; where the Personal Data is subject to EU GDPR, not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the EU GDPR; or the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the non-transferring Party; the Data Subject has enforceable rights and effective legal remedies; the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Contract unless the Processor must is required by Law to retain the Personal Data. Subject to paragraph 8 of this Joint Schedule 11, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with the Contract it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed Processed under this the Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Personal Data Loss Event.
(k) Any requirement Breach. The Processor’s obligation to notify under clause (j) includes paragraph 7 of this Joint Schedule 11 shall include the provision of further information to the Controller in stages Controller, as details become available.
(i) The . Taking into account the nature of the Processing, the Processor must promptly shall provide the Controller with full assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause paragraph 7 of this Joint Schedule 11 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by immediately providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Personal Data Loss EventBreach; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Joint Schedule 11. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) Processing is not occasional;
(ii) ; the Controller determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process Process any Personal DataData related to the Contract, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) Processing; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so which give effect to the terms set out in this Joint Schedule 11 such that this clause 14 applies they apply to the Subprocessor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Subprocessors. The Relevant Authority may, at any time the Buyer can, with 30 on not less than thirty (30) Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Joint Schedule 11 by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. The Relevant Authority may on not less than thirty (30) Working Days’ notice to the Supplier amend the Contract to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Call Off Contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only Processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Processing Schedule 13 (Processing, Personal Data and Data Subjects) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected processing envisaged Processing operations and its purpose;
(ii) the purpose of the Processing; an assessment of the necessity and proportionality of the processing operations;
(iii) Processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data processed in connection with its obligations under this Contract: process that Personal Data only in accordance with Schedule 13 (Processing, Personal Data and Data Subjects), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller immediately if Authority before Processing the Personal Data unless prohibited by Law; ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Controller the measures set out in Clause 11 (Authority Data), which the Controller may reasonably reject (but failure to protect against reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, Event; state of technological development; and cost of implementing any measures; ensure that: the Processor must promptly notify the Controller if the Processor is otherwise required to Personnel do not process Personal Data by Law before processing it.
except in accordance with this Contract (f) The Processor must use and in particular Schedule 13 (Processing, Personal Data and Data Subjects)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
Clause 12 (iiProtection of Personal Data), Clause 11 (Authority Data) and Clause 27 (Confidential Information) of this Schedule 2; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the this Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must ; not transfer Personal Data outside of the UK EU, other than to the Controller, unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) : the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 of the GDPR or section Section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing Processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Contract unless the Processor must is required by Law to retain the Personal Data. Subject to Clause 12.7 of this Schedule 2, the Processor shall notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Data Loss Event.
(k) Any requirement . The Processor’s obligation to notify under clause (j) includes Clause 12.6 of this Schedule 2 shall include the provision of further information to the Controller in stages phases, as details become available.
(i) The . Taking into account the nature of the Processing, the Processor must promptly shall provide the Controller with full reasonable assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause Clause 12.6 of this Schedule 2 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by promptly providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Data Loss Event; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) Processing is not occasional;
(ii) ; the Controller determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor Sub-processor to process any Personal DataData related to this Contract, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor Sub-processor and processing;
(ii) Processing; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so that this clause 14 applies Sub-processor which give effect to the Subprocessorterms set out in this Clause 12 (Protection of Personal Data) such that they apply to the Sub-processor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that Sub-processor as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Sub-processors. The Authority may, at any time the Buyer can, with on not less than 30 Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Clause by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the this Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. The Authority may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Conditions of Contract for the Provision of Services
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in in
(b) Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into into
(c) Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(bd) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(ce) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(df) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(eg) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(fh) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; andand UKHSA Short Form Contract
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(gi) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(hj) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(ik) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(jl) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);; UKHSA Short Form Contract
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(km) Any requirement to notify under clause (jl) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (jl). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(ln) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(mo) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(np) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; andand UKHSA Short Form Contract
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(oq) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(pr) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(qs) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Short Form Contract for the Supply of Goods and/or Services
Where one Party is Controller and the other Party its Processor. (a) o Where a Party is a Processor, the only Processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) o The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. o The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: ▪ a systematic description of the expected processing envisaged Processing and its purpose;
(ii) the purpose of the Processing; ▪ an assessment of the necessity and proportionality of the processing operations;
(iii) Processing in relation to the Deliverables; ▪ an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and ▪ the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . o The Processor must shall, in relation to any Personal Data Processed in connection with its obligations under the Contract: ▪ Process that Personal Data only in accordance with Annex 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall notify the Controller immediately if before Processing the Personal Data unless prohibited by Law; ▪ ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Supplier the measures set out in Clause 14.3 of the Core Terms, which the Controller may reasonably reject (but failure to protect against a Data Loss Event which must be approved reject shall not amount to approval by the Controller.
(eController of the adequacy of the Protective Measures) If lawful having taken account of the: ● nature of the data to notify the Controller, be protected; ● harm that might result from a Personal Data Breach; ● state of technological development; and ● cost of implementing any measures; ▪ ensure that : ● the Processor must promptly notify the Controller if the Processor is otherwise required to process Personnel do not Process Personal Data by Law before processing it.
except in accordance with the Contract (f) The Processor must use and in particular Annex 1 (Processing Personal Data)); ● it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : o are aware of and comply with the Processor's ’s duties under this clause 14;
Joint Schedule 11, Clauses 14 (iiData protection), 15 (What you must keep confidential) and 16 (When you can share information) of the Core Terms; o are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; o are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contract; and
(iv) and o have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must ; ▪ not transfer Personal Data outside of the UK or EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) : ● the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018LED Article 37) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) ● the Data Subject has enforceable rights and effective legal remedies;
(iii) ; ● the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and ● the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing Processing of the Personal Data.
; and ▪ at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Contract unless the Processor must is required by Law to retain the Personal Data. o Subject to paragraph 8 of this Joint Schedule 11, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with the Contract it:
(i) : ▪ receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; ▪ receives a request to rectify, block or erase any Personal Data;
(iii) ; ▪ receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; ▪ receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed Processed under this the Contract;
(v) ; ▪ receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or ▪ becomes aware of a Personal Data Loss Event.
(k) Any requirement Breach. o The Processor’s obligation to notify under clause (j) includes paragraph 7 of this Joint Schedule 11 shall include the provision of further information to the Controller in stages Controller, as details become available.
(i) The . o Taking into account the nature of the Processing, the Processor must promptly shall provide the Controller with full assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause paragraph 7 of this Joint Schedule 11 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by immediately providing: ▪ the Controller with full details and copies of the complaint, communication or request;
(iii) ; ▪ such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; ▪ the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; ▪ assistance that it requests as requested by the Controller following any Personal Data Loss EventBreach; and
(vi) and/or ▪ assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. o The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Joint Schedule 11. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: ▪ the Controller determines that the processing:
(i) Processing is not occasional;
(ii) ; ▪ the Controller determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or ▪ the Controller determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . o The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. o The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . o Before allowing any Subprocessor to process Process any Personal DataData related to the Contract, the Processor must:
(i) : ▪ notify the Controller in writing of the intended Subprocessor and processing;
(ii) Processing; ▪ obtain the written consent of the Controller;
(iii) ; ▪ enter into a written contract agreement with the Subprocessor so which give effect to the terms set out in this Joint Schedule 11 such that this clause 14 applies they apply to the Subprocessor; and
(iv) and ▪ provide the Controller with any such information about regarding the Subprocessor that as the Controller may reasonably requires.
(o) require. o The Processor remains shall remain fully liable for all acts or omissions of any Subprocessorof its Subprocessors.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Order Form
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only Processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex Appendix 1 – (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected processing envisaged Processing and its purpose;
(ii) the purpose of the Processing; an assessment of the necessity and proportionality of the processing operations;
(iii) Processing in relation to the Offered Deliverables; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data Processed in connection with its obligations under the Contract: Process that Personal Data only in accordance with Appendix 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall notify the Controller immediately if before Processing the Personal Data unless prohibited by Law; ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Supplier the measures set out in clause 14.3 of the Conditions, which the Controller may reasonably reject (but failure to protect against a Data Loss Event which must be approved reject shall not amount to approval by the Controller.
(eController of the adequacy of the Protective Measures) If lawful having taken account of the: nature of the data to notify the Controller, be protected; harm that might result from a Personal Data Breach; state of technological development; and cost of implementing any measures; ensure that : the Processor must promptly notify the Controller if the Processor is otherwise required to process Personnel do not Process Personal Data by Law before processing it.
except in accordance with the LVPS Contract (f) The Processor must use and in particular Appendix 1 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
▇▇▇▇▇ ▇, clauses 14 (iiData protection), 15 (What you must keep confidential) and 16 (When you can share information) of the Conditions; are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) ; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contract; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) : the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 of the EU GDPR 46) as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) ; the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing Processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the LVPS Contract unless the Processor must is required by Law to retain the Personal Data. Subject to paragraph 7 of this Annex B, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with the LVPS Contract it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed Processed under this the LVPS Contract;
(v) ; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Personal Data Loss Event.
(k) Any requirement Breach. The Processor’s obligation to notify under clause (j) includes paragraph 6 of this Annex B shall include the provision of further information to the Controller in stages Controller, as details become available.
(i) The . Taking into account the nature of the Processing, the Processor must promptly shall provide the Controller with full assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause paragraph 6 of this Annex B (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by immediately providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Personal Data Loss EventBreach; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14▇▇▇▇▇ ▇. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) Processing is not occasional;
(ii) ; the Controller determines the Processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor to process Process any Personal DataData related to the Contract, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor and processing;
(ii) Processing; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so which give effect to the terms set out in this Annex B such that this clause 14 applies they apply to the Subprocessor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Subprocessors. ccs may, at any time the Buyer can, with 30 on not less than thirty (30) Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Annex B by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. CCS may on not less than thirty (30) Working Days’ notice to the Supplier amend the Contract to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: LVPS Agreement
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Schedule 11 (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected envisaged processing operations and its purpose;
(ii) the purpose of the processing; an assessment of the necessity and proportionality of the processing operations;
(iii) operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 11 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller immediately if Authority before processing the Personal Data unless prohibited by Law; ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Supplier the measures set out in Clause 21 (Authority Data and Security Requirements), which the Controller may reasonably reject (but failure to protect against reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, Event; state of technological development; and cost of implementing any measures; ensure that: the Processor must promptly notify the Controller if the Processor is otherwise required to Personnel do not process Personal Data by Law before processing it.
except in accordance with this Agreement (f) The Processor must use and in particular Schedule 11 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
▇▇▇▇▇▇, Clauses 22 (iiConfidentiality) and 21 (Authority Data and Security Requirements); are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contractthis Agreement; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where ; where the Personal Data is subject to UK GDPR, the Processor must not transfer such Personal Data outside of the UK UK, other than to the Controller, unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR Article 46 or section 75 of the DPA 20182018 Section 75) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's ’s SCCs (the "Addendum"), as published by the Information Commissioner's ’s Office from time and as set out in Annex 2 to time Schedule 11 (Processing Personal Data), as well as any additional measures determined by the Controller;
(iii) Controller the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) remedies; the Processor meets complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferredtransferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(v) and the Processor complies with any reasonable instructions notified to it in advance by the Controller's reasonable prior instructions about Controller with respect to the processing of the Personal Data.
(h) Where ; and where the Personal Data is subject to EU GDPR, the Processor must not transfer such Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is in accordance with Article 45 of the EU GDPR; or
(i) or the Controller or the Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's ’s decision 2021/914/EU set out in Annex 3 to Schedule 11 (Processing Personal Data) or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) ; the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Agreement unless the Processor must is required by Law to retain the Personal Data. Subject to Clause 24.7, the Processor shall notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Data Loss Event.
(k) Any requirement . The Processor’s obligation to notify under clause (j) includes Clause 24.6 shall include the provision of further information to the Controller in stages phases, as details become available.
(i) The . Taking into account the nature of the processing, the Processor must promptly shall provide the Controller with full reasonable assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause Clause 24.6 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by promptly providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Data Loss Event; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office or any other regulatory authority, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) . The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) processing is not occasional;
(ii) ; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor Sub-processor to process any Personal DataData related to this Agreement, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor Sub-processor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so that this clause 14 applies Sub-processor which give effect to the Subprocessorterms set out in this Clause 24 such that they apply to the Sub-processor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that Sub-processor as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Sub-processors. The Authority may, at any time the Buyer can, with on not less than 30 Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Clause by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contractthis Agreement).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Services Agreement
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Order Form
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Processing Schedule 24 (Processing, Personal Data and Data Subjects) by the ControllerController and may not be determined by the Processor. Any further written instructions relating The term “processing” and any associated terms are to be read in accordance with Article 4 of the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
UK GDPR and EU GDPR (b) as applicable). The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected envisaged processing operations and its purpose;
(ii) the purpose of the processing; an assessment of the necessity and proportionality of the processing operations;
(iii) operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 24 (Processing, Personal Data and Data Subjects), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify HSE before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, including in the case of the Provider the measures set out in Clause 37 (HSE Data and Security Requirements), which the Controller immediately if it thinks may reasonably reject (but failure to reject shall not amount to approval by the Controller's instructions breach Controller of the Data Protection Legislation.
(dadequacy of the Protective Measures) The Processor must put in place appropriate Protective Measures having taken account of the: nature of the data to protect against be protected; harm that might result from a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, Event; state of technological development; and cost of implementing any measures; ensure that: the Processor must promptly notify the Controller if the Processor is otherwise required to Personnel do not process Personal Data by Law before processing it.
except in accordance with this Agreement (f) The Processor must use and in particular Schedule 24 (Processing, Personal Data and Data Subjects)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
Clause 32, Clauses 31 (iiConfidentiality) and 37 (HSE Data and Security Requirements); are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contractthis Agreement; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must ; not transfer such Personal Data outside of the UK and/or the EEA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) : the transfer is destination country has been recognised as adequate by the UK government in accordance with Article 45 of the UK GDPR (or section 73 74A of DPA 2018) and/or the transfer is in accordance with Article 45 of the EU GDPR (where applicable); or
(ii) or the Controller or and/or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75 and/or Article 46 or section 75 of the DPA 2018EU GDPR (where applicable)) as determined by the Controller which could include relevant parties entering into into: where the transfer is subject to UK GDPR: the UK International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office under section 119A(1) of the DPA 2018 from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferredtime; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's Standard Contractual Clauses per decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time ("EU SCCs"), together with the UK International Data Transfer Agreement Addendum to the EU SCCs (the "Addendum") as published by the Information Commissioner's Office from time to time; and/or where the transfer is subject to EU GDPR, the EU SCCs, as well as any additional measures determined by the Controller;
(ii) Controller being implemented by the importing party; the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Agreement unless the Processor must is required by Law to retain the Personal Data. Subject to Clause 32.2.6, the Processor shall notify the Controller immediately as soon as reasonably practicable (and in any event within one (1) Working Day in respect of the matter described in Clause 32.2.5(f) or within three (3) Working Days in respect of any matters described in Clauses 32.2.5(a), (b), (c), (d) or (e)) if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Data Loss Event.
(k) Any requirement . The Processor’s obligation to notify under clause (j) includes Clause 32.2.5 shall include the provision of further information to the Controller in stages phases, as details become available.
(i) The . Taking into account the nature of the processing, the Processor must promptly shall provide the Controller with full reasonable assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause Clause 32.2.5 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by promptly providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Data Loss Event; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office or any other regulatory authority, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) . The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Clause 32. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) processing is not occasional;
(ii) ; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor Sub-processor to process any Personal DataData related to this Agreement, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor Sub-processor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so that this clause 14 applies Sub-processor which gives effect to the Subprocessorterms set out in this Clause 32 such that they apply to the Sub-processor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that Sub-processor as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) its Sub-processors. The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's ’s Office or any other regulatory authority. HSE may on not less than 30 Working Days’ notice to the Provider amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office or any other regulatory authority.
Appears in 1 contract
Sources: Services Concession Agreement
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.. The Short Form Contract – version 1.3 32
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.Data.
(b) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(c) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; andin
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Order Form
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, the only processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex 1 – Schedule 11 (Processing Personal Data Data) by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – Processing Personal Data.
(b) The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processing. Such assistance may, including:
(i) at the discretion of the Controller, include: a systematic description of the expected envisaged processing operations and its purpose;
(ii) the purpose of the processing; an assessment of the necessity and proportionality of the processing operations;
(iii) operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and
(iv) and the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) . The Processor must shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 11 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller immediately if Authority before processing the Personal Data unless prohibited by Law; ensure that it thinks the Controller's instructions breach the Data Protection Legislation.
(d) The Processor must put has in place appropriate Protective Measures Measures, including in the case of the Controller the measures set out in Clause 21 (Authority Data and Security Requirements), which the Controller may reasonably reject (but failure to protect against reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event which must be approved by the Controller.
(e) If lawful to notify the Controller, Event; state of technological development; and cost of implementing any measures; ensure that: the Processor must promptly notify the Controller if the Processor is otherwise required to Personnel do not process Personal Data by Law before processing it.
except in accordance with this Agreement (f) The Processor must use and in particular Schedule 11 (Processing Personal Data)); it takes all reasonable endeavours steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) : are aware of and comply with the Processor's ’s duties under this clause 14;
▇▇▇▇▇▇, Clauses 22 (iiConfidentiality) and 21 (Authority Data and Security Requirements); are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) Sub-processor; are informed of the confidential nature of the Personal Data and do not provide publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Controller or as otherwise allowed permitted by the Contractthis Agreement; and
(iv) and have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must ; not transfer Personal Data outside of the UK EU, other than to the Controller, unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) : the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 20182018 Section 75) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) ; the Processor complies with its obligations under the EU GDPR Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
; and at the written direction of the Controller, delete or return Personal Data (jand any copies of it) The to the Controller on termination of the Agreement unless the Processor must is required by Law to retain the Personal Data. Subject to Clause 24.7, the Processor shall notify the Controller immediately if it:
(i) : receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) ; receives a request to rectify, block or erase any Personal Data;
(iii) ; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) ; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with the such request is required or claims purported to be required by Law; and
(vi) or becomes aware of a Data Loss Event.
(k) Any requirement . The Processor’s obligation to notify under clause (j) includes Clause 24.6 shall include the provision of further information to the Controller in stages phases, as details become available.
(i) The . Taking into account the nature of the processing, the Processor must promptly shall provide the Controller with full reasonable assistance in relation to any either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause Clause 24.6 (j). This includes giving and insofar as possible within the timescales reasonably required by the Controller:
(ii) including by promptly providing: the Controller with full details and copies of the complaint, communication or request;
(iii) ; such assistance as is reasonably requested assistance so that by the Controller to enable it can to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(iv) ; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject on request;
(v) Subject; assistance that it requests as requested by the Controller following any Data Loss Event; and
(vi) and/or assistance that it requests relating as requested by the Controller with respect to a consultation withany request from the Information Commissioner’s Office, or request from, any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority.
(l) Office. The Processor must shall maintain full, complete and accurate records and information to show it complies demonstrate its compliance with this clause 14Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless either unless: the Controller determines that the processing:
(i) processing is not occasional;
(ii) ; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) . The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) . Before allowing any Subprocessor Sub-processor to process any Personal DataData related to this Agreement, the Processor must:
(i) : notify the Controller in writing of the intended Subprocessor Sub-processor and processing;
(ii) ; obtain the written consent of the Controller;
(iii) ; enter into a written contract agreement with the Subprocessor so that this clause 14 applies Sub-processor which give effect to the Subprocessorterms set out in this Clause 24 such that they apply to the Sub-processor; and
(iv) and provide the Controller with any such information about regarding the Subprocessor that Sub-processor as the Controller may reasonably requires.
(o) require. The Processor remains shall remain fully liable for all acts or omissions of any Subprocessor.
(p) At of its Sub-processors. The Authority may, at any time the Buyer can, with on not less than 30 Working Days’ notice to the Suppliernotice, change revise this clause 14 to replace Clause by replacing it with any applicable controller to processor standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contractthis Agreement).
(q) . The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or ’s Office. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any other regulatory authorityguidance issued by the Information Commissioner’s Office.
Appears in 1 contract
Sources: Services Agreement
Where one Party is Controller and the other Party its Processor. (a) Where a Party is a Processor, it must only process Personal Data if authorised to do so in Part A - Authorised Processing Template of of
(b) Annex 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of of
(c) Annex 1 – Processing Personal Data.
(bd) The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, including:
(i) a systematic description of the expected processing and its purpose;
(ii) the necessity and proportionality of the processing operations;
(iii) the risks to the rights and freedoms of Data Subjects; and
(iv) the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data.
(ce) The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation.
(df) The Processor must put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
(eg) If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(fh) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed of the confidential nature of the Personal Data and do not provide any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(gi) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.
Appears in 1 contract
Sources: Short Form Contract for the Supply of Goods and/or Services
Where one Party is Controller and the other Party its Processor. (a) 2. Where a Party is a Processor, the only Processing that it must only process Personal Data if is authorised to do so is listed in Part A - Authorised Processing Template of Annex Appendix 1 – Processing Personal Data by the Controller. Any further written instructions relating to the processing of Personal Data are incorporated into Part A - Authorised Processing Template of Annex 1 – (Processing Personal Data) by the Controller and may not be determined by the Processor. The Term “processing” and any associated Terms are to be read in accordance with Article 4 of the UK GDPR.
(b) 3. The Processor must give shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation.
4. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting prior to commencing any processingProcessing. Such assistance may, includingat the discretion of the Controller, include:
(ia) a systematic description of the expected envisaged processing operations and its purposethe purpose of the processing;
(iib) an assessment of the necessity and proportionality of the processing operationsoperation in relation to the Offered Deliverables;
(iiic) an assessment of the risks to the rights and freedoms of Data Subjects; and
(ivd) the intended measures envisaged to address the risks, including safeguards, security measures and mechanisms to protect ensure the protection of Personal Data.
(c) 5. The Processor must shall, in relation to any Personal Data processed in connection with its obligations under the Agreement:
(a) process that Personal Data only in accordance with Appendix 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall notify the Controller immediately if it thinks before processing the Controller's instructions breach the Personal Data Protection Legislation.unless prohibited by Law;
(db) The Processor must put ensure that it has in place Protective Measures, which are appropriate Protective Measures to protect against a Data Loss Event Event, which must be approved the Controller may reasonably reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Controller.
(e) If lawful to notify the ControllerProcessor, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it.
(f) The Processor must use all reasonable endeavours to ensure the reliability and integrity of any Processor Personnel who have access propose alternative Protective Measures to the Personal Data and ensure that they:
(i) are aware of and comply with the Processor's duties under this clause 14;
(ii) are subject to appropriate confidentiality undertakings with the Processor or any Subprocessor;
(iii) are informed satisfaction of the confidential nature of the Personal Data and do Controller. Failure to reject shall not provide any of the Personal Data amount to any third party unless directed in writing to do so approval by the Controller or as otherwise allowed by the Contract; and
(iv) have undergone adequate training in the use, care, protection and handling of Personal Data.
(g) Where the Personal Data is subject to UK GDPR, the Processor must not transfer Personal Data outside of the UK unless the prior written consent adequacy of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR (or section 73 of DPA 2018); or
(ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 of the DPA 2018) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement (the "IDTA"), or International Data Transfer Agreement Addendum to the European Commission's SCCs (the "Addendum"), as published by the Information Commissioner's Office from time to time as well as any additional measures determined by the Controller;
(iii) the Data Subject has enforceable rights and effective legal remedies when transferred;
(iv) the Processor meets its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(v) the Processor complies with the Controller's reasonable prior instructions about the processing of the Personal Data.
(h) Where the Personal Data is subject to EU GDPR, the Processor Protective Measures. Protective Measures must not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(i) the Controller or Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission's decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data.
(j) The Processor must notify the Controller immediately if it:
(i) receives a Data Subject Access Request (or purported Data Subject Access Request);
(ii) receives a request to rectify, block or erase any Personal Data;
(iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract;
(v) receives a request from any third Party for disclosure of Personal Data where compliance with the request is required or claims to be required by Law; and
(vi) becomes aware of a Data Loss Event.
(k) Any requirement to notify under clause (j) includes the provision of further information to the Controller in stages as details become available.
(i) The Processor must promptly provide the Controller with full assistance in relation to any Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (j). This includes giving the Controller:
(ii) full details and copies of the complaint, communication or request;
(iii) reasonably requested assistance so that it can comply with a Data Subject Access Request within the relevant timescales in the Data Protection Legislation;
(iv) any Personal Data it holds in relation to a Data Subject on request;
(v) assistance that it requests following any Data Loss Event; and
(vi) assistance that it requests relating to a consultation with, or request from, the Information Commissioner's Office or any other regulatory authority.
(l) The Processor must maintain full, accurate records and information to show it complies with this clause 14. This requirement does not apply where the Processor employs fewer than 250 staff, unless either the Controller determines that the processing:
(i) is not occasional;
(ii) includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or
(iii) is likely to result in a risk to the rights and freedoms of Data Subjects.
(m) The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation.
(n) Before allowing any Subprocessor to process any Personal Data, the Processor must:
(i) notify the Controller in writing of the intended Subprocessor and processing;
(ii) obtain the written consent of the Controller;
(iii) enter into a written contract with the Subprocessor so that this clause 14 applies to the Subprocessor; and
(iv) provide the Controller with any information about the Subprocessor that the Controller reasonably requires.
(o) The Processor remains fully liable for all acts or omissions of any Subprocessor.
(p) At any time the Buyer can, with 30 Working Days’ notice to the Supplier, change this clause 14 to replace it with any applicable standard clauses (between the controller and processor) or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Contract).
(q) The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner's Office or any other regulatory authority.the:
Appears in 1 contract
Sources: Sedps Agreement