Common use of Data Controller’s Obligations Clause in Contracts

Data Controller’s Obligations. 3.1 To the extent that the Data Processor processes Personal Data in the course of providing the Services, each party acknowledges that, for the purposes of the Data Protection Legislation the Data Controller is the controller of any Personal Data. 3.2 The Data Controller represents and warrants that it shall comply with its obligations under this DPA and the Data Protection Legislation. 3.3 The Data Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Data Processor, its Affiliates and Sub- Processors, to execute their rights or perform their obligations under this DPA. 3.4 All Affiliates of the Data Controller who use the Services shall comply with the obligations of the Data Controller set out in this DPA. 3.5 The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Data Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 3.5.1 The pseudonymisation and encryption of Personal Data; 3.5.2 The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; 3.5.3 The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; 3.5.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 3.6 The Data Controller acknowledges and agrees that some instructions from the Data Controller, including the Data Processor assisting with audits, inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. The Data Processor shall be entitled to charge the Data Controller for its costs and expenses in providing any such assistance.

Data Controller’s Obligations. 3.1 To the extent that the Data Processor processes Personal Data in the course of providing the Services, each party acknowledges that, for the purposes of the Data Protection Legislation the Data Controller is the controller of any Personal Data. 3.2 The Data Controller represents and warrants that that: 3.2.1 it shall comply with its obligations under this DPA and the Data Protection Legislation.; 3.3 The Data Controller represents and warrants that 3.2.2 it has obtained any and all necessary permissions and authorisations necessary to permit the Data Processor, its Affiliates and Sub- Sub-Processors, to execute their rights or perform their obligations under this DPA.; and 3.4 All 3.2.3 all Affiliates of the Data Controller who use the Services shall comply with the obligations of the Data Controller set out in this DPA. 3.5 3.3 The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Data Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 3.5.1 3.3.1 The pseudonymisation and encryption of Personal Data; 3.5.2 3.3.2 The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; 3.5.3 3.3.3 The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; 3.5.4 3.3.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 3.6 3.4 The Data Controller acknowledges and agrees that some instructions from the Data Controller, including the Data Processor assisting with audits, inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. The Data Processor shall be entitled to charge the Data Controller for its costs and expenses in providing any such assistance.