Common use of Controller to Processor Clause in Contracts

Controller to Processor. Where one Party acting as a Controller discloses Personal Data to the other Party to Process as a Processor or Subprocessor on its behalf, the Party acting as a Processor or Subprocessor shall: 4.1 Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. Any additional or alternate Processing instructions not contained in this Schedule must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Neither Party is responsible for determining if the Controller’s instructions are compliant with applicable law. However, if either Party is of the opinion that a Controller instruction infringes applicable Privacy Laws, that Party shall notify the other as soon as reasonably practicable and shall not be required to comply with such infringing instruction. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Personal Data and data subjects are as specified in the Agreement and Annex 2. 4.2 Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under the Agreement; 4.3 Not disclose the Personal Data to any third party (other than an Affiliate or Subprocessor) except as necessary and only for the purposes of: (a) complying with the Controller’s instructions; (b) complying with this Schedule; or (c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, Processor will give the Controller notice of any legal requirement or order referenced in this provision; 4.4 Upon becoming aware of a Personal Data Breach, (i) notify the Controller without undue delay (and in any event within 72 hours); (ii) provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time; and (iii) use reasonable efforts to assist the other Party in mitigating where possible, the adverse effects of any Personal Data Breach; and (iv) implement all measures required by Privacy Laws in case of such Personal Data Breach. 4.5 Upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Schedule; 4.6 Upon reasonable prior notice, provide reasonably requested assistance to the Controller to carry out data protection impact assessments and/or prior consultations to the extent required by Privacy Laws in relation to the Processing of Personal Data by that Party as a Processor; 4.7 Promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under any applicable Privacy Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so; 4.8 At the expiry or termination of the Agreement, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law; 4.9 If either Party is Processing Personal Data within the scope of the CCPA, that Party shall Process Personal Data on behalf of the other Party only and will not retain, use, share or disclose that Personal Data for any purpose other than for the purposes set out in this Schedule, the Agreement and as permitted under the CCPA or any subsequent law. In no event will either Party share any Personal Data with third parties (except to Subprocessors in accordance with clause 5 below) or sell any Personal Data. Each Party certifies that it understands and will comply with all restrictions placed on its’ Processing of Personal Data, including by avoiding any action that would cause the other Party to be deemed to have sold Personal Data or Personal Information under the CCPA. For purposes of this paragraph, Processors hereunder will be considered Service Providers as defined in Section 1798.140 (v) of the CCPA; and 4.10 Upon reasonable prior written request from the other Party (such request to be made in accordance with the terms of the Agreement), provide such information as may be reasonably necessary to demonstrate compliance with the Processor’s obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by the other Party or another auditor mandated by that Party.

Controller to Processor. Where one Party acting as a Controller discloses Personal Data to the other Party to Process as a Processor or Subprocessor on its behalf, the Party acting as a Processor or Subprocessor shall: 4.1 Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. Any additional or alternate Processing instructions not contained in this Schedule must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Neither Party is responsible for determining if the Controller’s instructions are compliant with applicable law. However, if either Party is of the opinion that a Controller instruction infringes applicable Privacy Laws, that Party shall notify the other as soon as reasonably practicable and shall not be required to comply with such infringing instruction. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Personal Data and data subjects are as specified in the Agreement and Annex 2. 4.2 Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under the Agreement; 4.3 Not disclose the Personal Data to any third party (other than an Affiliate or Subprocessor) except as necessary and only for the purposes of: (a) complying with the Controller’s instructions; (b) complying with this Schedule; or (c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, Processor will give the Controller notice of any legal requirement or order referenced in this provision; 4.4 Upon becoming aware of a Personal Data Breach, (i) notify the Controller without undue delay (and in any event within 72 hours)delay; (ii) provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time; and (iii) use reasonable efforts to assist the other Party in mitigating where possible, the adverse effects of any Personal Data Breach; and (iv) implement all measures required by Privacy Laws in case of such Personal Data Breach. 4.5 Upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Schedule; 4.6 Upon reasonable prior notice, provide reasonably requested assistance to the Controller to carry out data protection impact assessments and/or prior consultations to the extent required by Privacy Laws in relation to the Processing of Personal Data by that Party as a Processor; 4.7 Promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under any applicable Privacy Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so; 4.8 At the expiry or termination of the Agreement, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law; 4.9 If either Party is Processing Personal Data within the scope of the CCPA, that Party shall Process Personal Data on behalf of the other Party only and will not retain, use, share or disclose that Personal Data for any purpose other than for the purposes set out in this Schedule, the Agreement and as permitted under the CCPA or any subsequent law. In no event will either Party share any Personal Data with third parties (except to Subprocessors in accordance with clause 5 below) or sell any Personal Data. Each Party certifies that it understands and will comply with all restrictions placed on its’ Processing of Personal Data, including by avoiding any action that would cause the other Party to be deemed to have sold Personal Data or Personal Information under the CCPA. For purposes of this paragraph, Processors hereunder will be considered Service Providers as defined in Section 1798.140 (v) of the CCPA; and 4.10 Upon reasonable prior written request from the other Party (such request to be made in accordance with the terms of the Agreement), provide such information as may be reasonably necessary to demonstrate compliance with the Processor’s obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by the other Party or another auditor mandated by that Party.

Controller to Processor. Where one Party acting as a Controller discloses Personal Data to the other Party to Process as a Processor or Subprocessor on its behalf, the Party acting as a Processor or Subprocessor shall: 4.1 Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. Any additional or alternate Processing instructions not contained in this Schedule must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Neither Party is responsible for determining if the Controller’s instructions are compliant with applicable law. However, if either Party is of the opinion that a Controller instruction infringes applicable Privacy Laws, that Party shall notify the other as soon as reasonably practicable and shall not be required to comply with such infringing instruction. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Personal Data and data subjects are as specified in the Agreement and Annex 2. 4.2 Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under the Agreement; 4.3 Not disclose the Personal Data to any third party (other than an Affiliate or Subprocessor) except as necessary and only for the purposes of: (a) complying with the Controller’s instructions; (b) complying with this Schedule; or (c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, Processor will give the Controller notice of any legal requirement or order referenced in this provision; 4.4 Upon becoming aware of a Personal Data Breach, (i) notify the Controller without undue delay (and delay(and in any event within 72 hours); (ii) provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time; and (iii) use reasonable efforts to assist the other Party in mitigating where possible, the adverse effects of any Personal Data Breach; and (iv) implement all measures required by Privacy Laws in case of such Personal Data Breach. 4.5 Upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Schedule; 4.6 Upon reasonable prior notice, provide reasonably requested assistance to the Controller to carry out data protection impact assessments and/or prior consultations to the extent required by Privacy Laws in relation to the Processing of Personal Data by that Party as a Processor; 4.7 Promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under any applicable Privacy Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so; 4.8 At the expiry or termination of the Agreement, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law; 4.9 If either Party is Processing Personal Data within the scope of the CCPA, that Party shall Process Personal Data on behalf of the other Party only and will not retain, use, share or disclose that Personal Data for any purpose other than for the purposes set out in this Schedule, the Agreement and as permitted under the CCPA or any subsequent law. In no event will either Party share any Personal Data with third parties (except to Subprocessors in accordance with clause 5 below) or sell any Personal Data. Each Party certifies that it understands and will comply with all restrictions placed on its’ Processing of Personal Data, including by avoiding any action that would cause the other Party to be deemed to have sold Personal Data or Personal Information under the CCPA. For purposes of this paragraph, Processors hereunder will be considered Service Providers as defined in Section 1798.140 (v) of the CCPA; and 4.10 Upon reasonable prior written request from the other Party (such request to be made in accordance with the terms of the Agreement), provide such information as may be reasonably necessary to demonstrate compliance with the Processor’s obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by the other Party or another auditor mandated by that Party.

Controller to Processor. Where one Party acting as a Controller discloses Personal Data to the other Party to Process as a Processor or Subprocessor on its behalf, the Party acting as a Processor or Subprocessor shall: 4.1 Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. Any additional or alternate Processing instructions not contained in this Schedule must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Neither Party is responsible for determining if the Controller’s instructions are compliant with applicable law. However, if either Party is of the opinion that a Controller instruction infringes applicable Privacy Laws, that Party shall notify the other as soon as reasonably practicable and shall not be required to comply with such infringing instruction. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Personal Data and data subjects are as specified in the Agreement and Annex 2. 4.2 Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under the Agreement; 4.3 Not disclose the Personal Data to any third party (other than an Affiliate or Subprocessor) except as necessary and only for the purposes of: (a) complying with the Controller’s instructions; (b) complying with this Schedule; or (c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, Processor will give the Controller notice of any legal requirement or order referenced in this provision; 4.4 Upon becoming aware of a Personal Data Breach, (i) notify the Controller without undue delay (and in any event within 72 hours); (ii) provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time; and (iii) use reasonable efforts to assist the other Party in mitigating where possible, the adverse effects of any Personal Data Breach; and (iv) implement all measures required by Privacy Laws in case of such Personal Data Breach. 4.5 Upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Schedule; 4.6 Upon reasonable prior notice, provide reasonably requested assistance to the Controller to carry out data protection impact assessments and/or prior consultations to the extent required by Privacy Laws in relation to the Processing of Personal Data by that Party as a Processor; 4.7 Promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under any applicable Privacy Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so; 4.8 At the expiry or termination of the Agreement, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law; 4.9 If either Party is Processing Personal Data within the scope of the CCPA, that Party shall Process Personal Data on behalf of the other Party only and will not retain, use, share or disclose that Personal Data for any purpose other than for the purposes set out in this Schedule, the Agreement and as permitted under the CCPA or any subsequent law. In no event will either Party share any Personal Data with third parties (except to Subprocessors in accordance with clause 5 below) or sell any Personal Data. Each Party certifies that it understands and will comply with all restrictions placed on its’ Processing of Personal Data, including by avoiding any action that would cause the other Party to be deemed to have sold Personal Data or Personal Information under the CCPA. For purposes of this paragraph, Processors hereunder will be considered Service Providers as defined in Section 1798.140 (v) of the CCPA; and 4.10 Upon reasonable prior written request from the other Party (such request to be made in accordance with the terms of the Agreement), provide such information as may be reasonably necessary to demonstrate compliance with the Processor’s obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by the other Party or another auditor mandated by that Party.