Common use of Data Controller and Data Processor Clause in Contracts

Data Controller and Data Processor. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Party specified in the Order Form is the Data Controller and the Party specified in the Order Form is the Data Processor. The Order Form sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of Personal Data and categories of Data Subject. Without prejudice to the generality of Clause 23.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this Contract: process that Personal Data only on the written instructions of the Data Controller. Where the Data Processor is so required, it shall promptly notify the Data Controller before processing the Personal Data, unless prohibited by the Law; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); not transfer any Personal Data outside of the United Kingdom unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: the University or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with the reasonable instructions notified to it in advance by the University with respect to the processing of the Personal Data; notify the Data Controller immediately if it receives: a request from a Data Subject to have access to that person’s Personal Data; a request to rectify, block or erase any Personal Data; any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner); assist the Data Controller in responding to any request from a Data Subject and in ensuring compliance with the Data Controller’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; notify the Data Controller immediately and in any event within 24 (twenty four) hours on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Contract; at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination or expiry of this Contract unless required by the Law to store the Personal Data; maintain complete and accurate records and information to demonstrate its compliance with this Clause 23 and allow for audits by the Data Controller or the Data Controller’s designated auditor pursuant to Clause 19; Where the Supplier intends to engage a sub-contractor and intends for that sub-contractor to process any Personal Data relating to this Contract, it shall: notify the University in writing of the intended processing by the sub-contractor; obtain prior written consent to the processing; ensure that any sub-contract imposes obligations on the sub-contractor to give effect to the terms set out in this Clause 23.

Data Controller and Data Processor. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Party specified in the Order Form is the Data Controller and the Party specified in the Order Form is the Data Processor. The Order Form sets out the scope, nature and purpose of processing by the Data Processor, the duration of the processing and the types of Personal Data and categories of Data Subject. Without prejudice to the generality of Clause 23.129.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this Contract: process that Personal Data only on the written instructions of the Data Controller. Where the Data Processor is so required, it shall promptly notify the Data Controller before processing the Personal Data, unless prohibited by the Law; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); not transfer any Personal Data outside of the United Kingdom unless the prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: the University or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with the reasonable instructions notified to it in advance by the University with respect to the processing of the Personal Data; notify the Data Controller immediately if it receives: a request from a Data Subject to have access to that person’s Personal Data; a request to rectify, block or erase any Personal Data; any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner); assist the Data Controller in responding to any request from a Data Subject and in ensuring compliance with the Data Controller’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; notify the Data Controller immediately and in any event within 24 (twenty four) hours on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Contract; at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination or expiry of this Contract unless required by the Law to store the Personal Data; maintain complete and accurate records and information to demonstrate its compliance with this Clause 23 29 and allow for audits by the Data Controller or the Data Controller’s designated auditor pursuant to Clause 1925; Where the Supplier intends to engage a sub-contractor and intends for that sub-contractor to process any Personal Data relating to this Contract, it shall: notify the University in writing of the intended processing by the sub-contractor; obtain prior written consent to the processing; ensure that any sub-contract imposes obligations on the sub-contractor to give effect to the terms set out in this Clause 2329.