Common use of Controller Obligations Clause in Contracts

Controller Obligations. Each Controller shall at all times ensure Personal Data is Processed fairly, lawfully and transparently in accordance with Data Protection Legislation. Each Controller warrants that any instructions it issues to a Processor in respect of the Personal Data are lawful. The following obligations within this clause 6 shall apply where at least one Processor has been identified in Part 1 of this Agreement. Where the Processor is not a Party to this Agreement, the Controllers who instruct them must ensure that any contracts with such Processors provide equivalent protection to the clauses set out in clause 6 of this Agreement. Where indicated, the obligations shall apply to any Party to this Agreement not just Processors. The Parties acknowledge that for the purposes of the Data Protection Legislation in relation to the Data Processing Activities, the Controller(s) and the Processor(s) are as set out in Part 1 of this Agreement. A Processor must Process the Processor Data only to the extent necessary to perform the Data Processing Activities and only in accordance with the written instructions set out in Part 1 of this Agreement. A Processor must use the Personal Data shared solely for the purposes as instructed and shall not Process the Personal Data for any other purposes. Each Party agrees to treat the data (including Personal Data) received by them under the terms of this Agreement as confidential and shall safeguard it accordingly. All Parties must provide all reasonable assistance to one another and in particular to any Controller in the preparation of any Data Protection Impact Assessment prior to commencing any Processing under this Agreement. Such assistance may include: a systematic description of the envisaged Processing operations and the purpose of the Processing; an assessment of the necessity and proportionality of the Processing operations in relation to the Data Processing Activities; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. Any Party requested, but in particular any Processor who is a Party to this Agreement, shall provide all reasonable assistance to a Controller if the outcome of the Data Protection Impact Assessment leads the Controller to consult the Information Commissioner concerning any proposed arrangements. A Processor must (and must be required in any contractual documentation where such Processor is not a Party to this Agreement), in relation to any Personal Data Processed in connection with its obligations under this Agreement: Process that Personal Data only in accordance with the documented instructions of a Controller, unless the Processor is required to do otherwise by Law. If it is so required, the Processor must promptly notify the Controller before Processing the Personal Data unless such notification is prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event having taken account of the: nature of the Personal Data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure: when delivering the Data Processing Activities, the Processor Staff only Process Personal Data in accordance with this Agreement; it takes all reasonable steps to ensure the reliability and integrity of any Processor Staff who have access to the Personal Data and ensure that they: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor and any Sub-Processor that are in writing and are legally enforceable; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data that enables them and the Processor to comply with their responsibilities under the Data Protection Legislation and this Agreement. The Processor shall provide the Controller with evidence of completion and maintenance of that training within three Working Days of request by the Controller. at the written direction of the Controller, delete or return Personal Data (and any copies of it) to that Controller on termination of the Data Processing Activities and certify to the Controller that it has done so within five Working Days of any such instructions being issued, unless the Processor is required by Law to retain the Personal Data; if the Processor is required by any Law or Regulatory or Supervisory Body to retain any Processor Data that it would otherwise be required to destroy under this clause 6, notify the Controller in writing of that retention giving details of the Processor Data that it must retain and the reasons for its retention; notify the Controller immediately if it considers that carrying out any of the Controller’s instructions would infringe Data Protection Legislation. This obligation extends to breaches concerning the systems on which the data shared under this Agreement are held, even if the data shared under this Agreement is not directly affected; cooperate fully with the Controller during any handover arising from the cessation of any part of the Data Processing Activities, and if the Controller directs the Processor to migrate Processor Data to the Controller or to another nominated organisation, provide all reasonable assistance with ensuring safe migration including ensuring the integrity of Personal Data and the nomination of a named point of contact for the Controller (as set out in Annex 1 of Part 1 of this Agreement). Subject to clause 6.10, a Processor must notify the relevant Controller immediately if it: receives a Subject Rights Request (or purported Subject Rights Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to obligations under Data Protection Legislation owed by the Processor or Controller; receives any communication from the Information Commissioner or any other Regulatory or Supervisory Body (including any communication concerned with the systems on which Personal Data is Processed under this Agreement); receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; becomes aware of or reasonably suspects a Data Loss Event; or becomes aware of or reasonably suspects that it has in any way caused the Controller to breach Data Protection Legislation. The notification under clause 6.8 shall be given by emailing any relevant request and any subsequent communications to the Controller’s Data Protection Officer immediately, and in no longer than one Working Day of receipt by the Processor. A Processor shall not respond substantively to the communications listed at clause 6.8 save that it may respond to a Regulatory or Supervisory Body following prior consultation with the Controller. A Processor’s obligation to notify under clause 6.8 includes the provision of further information to the Controller in phases, as details become available. A Processor must provide their instructing Controller with all reasonable assistance in relation to either Party's obligations under the Data Protection Legislation and any complaint, communication or request made under clause 6.8 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; the Controller with any Personal Data it holds in relation to a Data Subject; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Subject Rights Request within the relevant timescales set out in the Data Protection Legislation; such assistance as is reasonably requested by the Controller to enable the Controller to comply with other rights granted to individuals by the Data Protection Legislation including the right of rectification, the right to erasure, the right to object to Processing, the right to restrict Processing, the right to data portability and the right not to be subject to an automated individual decision (including profiling); assistance as requested by the Controller following any Personal Data Loss Event; assistance as requested by the Controller in relation to informing a Data Subject about any Data Loss Event, including communication with the Data Subject; assistance as requested by the Controller with respect to any request from the Information Commissioner, or any consultation by the Controller with the Information Commissioner. A Processor shall designate a Data Protection Officer if required by the Data Protection Legislation, and shall communicate to the Controller the name and contact details of any Data Protection Officer. A Processor must allow for reasonable audits of its delivery of the Data Processing Activities by the Controller or the Controller’s designated auditor at no additional cost to the Controller. For the avoidance of doubt: a Processor must not novate this Agreement nor assign, delegate, subcontract, transfer, charge or otherwise dispose of all or any of its rights or obligations or duties under this Agreement without the prior written approval of the instructing Controller. The approval of any sub-processing or subcontracting arrangement may include approval of the terms of the proposed subcontract; subcontracting any part of this Agreement will not relieve a Processor of any of its obligations or duties under this Agreement. A Processor will be responsible for the performance of and will be liable to the Controller for the acts and/or omissions of all Sub-Processors as though they were their own; any positive obligation or duty on the part of the Processor under this Agreement includes an obligation or duty to ensure that all subcontractors and Sub-Processors comply with that positive obligation or duty. Any negative duty or obligation on the part of the Processor under this Agreement includes an obligation or duty to ensure that all subcontractors and Sub-Processors comply with that negative obligation or duty. Without prejudice to clause 6.16, before allowing any Sub-Processor to Process any Personal Data related to this Agreement, a Processor must: notify the relevant Controller in writing of the intended Sub-Processor and Processing; obtain the written consent of the relevant Controller; carry out appropriate due diligence of the Sub-Processor and ensure this is documented; enter into a binding written agreement with the Sub-Processor which includes equivalent terms to those set out in this Agreement; and provide the relevant Controller with such information regarding the Sub-Processor as the Controller may reasonably require. The Parties agree to take account of any guidance issued by the Information Commissioner. A Controller may (or where there is more than one Controller they may by agreement) on not less than 30 Working Days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner. A Controller may (or where there is more than one Controller they may by agreement), at any time on not less than 30 Working Days’ notice, revise this Agreement by adding to it any applicable Controller to Processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). A Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Agreement, the Data Protection Legislation and Data Guidance. A Processor must create and maintain a record of all categories of data Processing activities carried out under this Agreement, which must be made available to the instructing Controller within two Working Days of a written request, containing: the categories of Processing carried out under this Agreement; details of categories of Data Subjects; where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where relevant, the documentation of suitable safeguards; a general description of the Protective Measures taken to ensure the security and integrity of the Personal Data Processed under this Agreement; and a log recording the Processing of Personal Data in connection with this Agreement comprising, as a minimum, details of the Personal Data concerned, how the Personal Data was Processed, where the Personal Data was Processed and the identity of any individual carrying out the Processing.