Common use of Data Processing and Data Protection Clause in Contracts

Data Processing and Data Protection. 16.1. The Parties acknowledge that these Arrangements are subject to the requirements of Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a Council’s obligations under the Data Protection Legislation. 16.2. The Parties acknowledge that for the purposes of Data Protection Legislation, they are Data Controllers and Data Processors. The Information Sharing Protocol at Schedule 6 sets out the scope, nature and purpose of processing by the Parties, the duration of the processing and the types of Personal Data and categories of Data Subject. 16.3. Without prejudice to the generality of clause 15.1 the Parties’ will ensure that they have identified the basis for processing including consent where appropriate and appropriate notices in place to enable the lawful processing of Personal Data in the performance of the Services and for the duration and purposes of this Agreement. 16.4. The Parties shall, in relation to any Personal Data or Sensitive Personal Data processed in connection with the performance of these Arrangements: 16.4.1. ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 16.4.2. not transfer any Personal Data outside of the European Economic Area unless both Parties consent and the following conditions are fulfilled: 16.4.2.1. One or both Parties have provided appropriate safeguards in relation to the transfer; 16.4.2.2. the Data Subject has enforceable rights and effective remedies; 16.4.2.3. the Parties comply with their obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred. 16.5. Subject to the disclosure requirements of any Applicable Laws, nothing in this Agreement shall oblige a Council or a Post Holder to disclose information where such disclosure would be in breach of: 16.5.1. Any contract; and/or 16.5.2. Any other relevant and applicable internal or external policies or codes of conduct in relation to confidentiality and disclosure of information. 16.6. The Parties will, upon receipt of any of the following and to the extent that it is personal data under the control of both Parties and is permissible and reasonably practicable to do so, notify and consult the other Council prior to the disclosure of any Information relating to these Arrangements: 16.6.1. a request from a Data Subject to have access to that person's Personal Data; 16.6.2. a request to rectify, block or erase any Personal Data; 16.6.3. any other request, complaint or communication relating to either Council’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner). 16.7. Where appropriate, The Parties will assist each other in responding to any request from a Data Subject and in ensuring compliance with their obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. The Parties acknowledge however that they may be required to respond to a request without obtaining consent from the other. 16.8. Where data is held in joint control, the Parties will notify each other immediately [and in any event within 24 hours] on becoming aware of a Personal Data breach relating to these Arrangements including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Agreement. 16.9. The Parties will maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for inspections by their respective auditors. 16.10. The Parties shall take reasonable steps to procure that staff and Post Holders who process any Personal Data or Sensitive Personal Data in accordance with or in the course of this Agreement and/or the performance of the S113 Duties shall do so in accordance with the Applicable Laws and any other relevant guidance. 16.11. Each Council agrees at all times during the continuance of this Agreement and after its termination to keep confidential all information or data that it receives or otherwise acquires in connection with the Arrangements and which by its nature is confidential or which has reasonably been marked with such words signifying that it should not be disclosed except where: 16.11.1. The disclosure is made pursuant to clause 21 or any litigation between the Parties; 16.11.2. The disclosure is required to comply with Law (including the FOIA); 16.11.3. The disclosure is made to a Council’s professional advisors who owe a similar obligation of confidentiality; or 16.11.4. The information was in the possession of the Council without obligation of confidentiality or was in the public domain (otherwise than by breach of this Agreement) before receiving it from the other Council. 16.12. The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.

Data Processing and Data Protection. 16.1. The Parties acknowledge that these Arrangements are subject to the requirements of Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a CouncilParty’s obligations under the Data Protection Legislation. 16.2. The Parties acknowledge that for the purposes of Data Protection Legislation, they are Data Controllers and Data Processors. The Information Sharing Protocol at Schedule 6 sets out the scope, nature and purpose of processing by the Parties, the duration of the processing and the types of Personal Data and categories of Data Subject. 16.3. Without prejudice to the generality of clause 15.1 16.1 the Parties’ will ensure that they have identified the basis for processing including consent where appropriate and appropriate notices in place to enable the lawful processing of Personal Data in the performance of the Services and for the duration and purposes of this Agreement. 16.4. The Parties shall, in relation to any Personal Data or Sensitive Personal Data processed in connection with the performance of these Arrangements: 16.4.1. ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 16.4.2. not transfer any Personal Data outside of the European Economic Area unless both Parties consent and the following conditions are fulfilled: 16.4.2.1. One or both Parties have provided appropriate safeguards in relation to the transfer; 16.4.2.2. the Data Subject has enforceable rights and effective remedies; 16.4.2.3. the Parties comply with their obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred. 16.5. Subject to the disclosure requirements of any Applicable Laws, nothing in this Agreement shall oblige a Council Party or a Post Holder to disclose information where such disclosure would be in breach of: 16.5.1. Any contract; and/or 16.5.2. Any other relevant and applicable internal or external policies or codes of conduct in relation to confidentiality and disclosure of information. 16.6. The Parties will, upon receipt of any of the following and to the extent that it is personal data under the control of both Parties and is permissible and reasonably practicable to do so, notify and consult the other Council prior to the disclosure of any Information relating to these Arrangements: 16.6.1. a request from a Data Subject to have access to that person's Personal Data; 16.6.2. a request to rectify, block or erase any Personal Data; 16.6.3. any other request, complaint or communication relating to either Council’s obligations under the Data Protection Legislation (including any communication from the Information Commissioner). 16.7. Where appropriate, The Parties will assist each other in responding to any request from a Data Subject and in ensuring compliance with their obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. The Parties acknowledge however that they may be required to respond to a request without obtaining consent from the other. 16.8. Where data is held in joint control, the Parties will notify each other immediately [and in any event within 24 hours] hours on becoming aware of a Personal Data breach relating to these Arrangements including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Agreement. 16.9. The Parties will maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for inspections by their respective auditors. 16.10. The Parties shall take reasonable steps to procure that staff and Post Holders who process any Personal Data or Sensitive Personal Data in accordance with or in the course of this Agreement and/or the performance of the S113 Duties shall do so in accordance with the Applicable Laws and any other relevant guidance. 16.11. Each Council agrees at all times during the continuance of this Agreement and after its termination to keep confidential all information or data that it receives or otherwise acquires in connection with the Arrangements and which by its nature is confidential or which has reasonably been marked with such words signifying that it should not be disclosed except where: 16.11.1. The disclosure is made pursuant to clause 21 or any litigation between the Parties; 16.11.2. The disclosure is required to comply with Law (including the FOIA); 16.11.3. The disclosure is made to a Council’s professional advisors who owe a similar obligation of confidentiality; or 16.11.4. The information was in the possession of the Council without obligation of confidentiality or was in the public domain (otherwise than by breach of this Agreement) before receiving it from the other Council. 16.12. The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.