Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. 37.1. In respect of any Personal Data to be processed by the Data Processor pursuant to this Agreement for which the Councils are Data Controllers, the Data Processor shall: 37.1.1. have in place and at all times maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk and shall implement any reasonable security measures as requested by the Councils from time to time; 37.1.2. not engage any sub-processor without the prior specific or general written authorisation of the Councils (and in the case of general written authorisation; the Data Processor shall inform the Councils of any intended changes concerning the addition or replacement of other processors and the Councils shall have the right to object to such changes); 37.1.3. ensure that each of the Data Processor’s employees, agents, consultants, Sub-Contractors and sub-processors are made aware of the Data Processor’s obligations under this Schedule and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under the Data Protection clauses in this Agreement. The Data Processor shall ensure that the terms of this Schedule are incorporated into each agreement with any sub-processor, subcontractor, agent or consultant to the effect that the sub-processor, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data Processor under this Schedule. The Data Processor shall at all times be and remain liable to the Councils for any failure of any employee, agent, consultant, subcontractor or sub-processor to act in accordance with the duties and obligations of the Data Processor under this Schedule; 37.1.4. process that Personal Data only on behalf of the Councils in accordance with the Councils’ instructions and to perform its obligations under this agreement or other documented instructions and for no other purpose save to the limited extent required by law; 37.1.5. (at no additional cost to the Councils) within 7 days following the end of the term of this agreement, deliver to the Councils (in such format as the Councils may require) a full and complete copy of all Personal Data, and, following confirmation of receipt from the Councils, permanently remove the Personal Data (and copies) from the Data Processor’s systems, and the Data Processor shall certify to the Councils that it has complied with these requirements, and such Personal Data shall remain confidential in perpetuity; 37.1.6. ensure that all persons authorised to access the Personal Data are subject to obligations of confidentiality and receive training to ensure compliance with this agreement and the Data Protection Laws; 37.1.7. make available to the Councils all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Councils or another auditor mandated by the Councils, of the Data Processor’s data processing facilities, procedures and documentation (and the facilities, procedures and documentation of any sub-processors) in order to ascertain compliance with the Data Protection clauses in this Agreement, within 5 Business Days of request by the client and, following any such audit, without prejudice to any other rights of the Councils, the Data Processor shall implement such measures which the Councils considers reasonably necessary to achieve compliance with the Data Processor’s obligations under this Schedule; provided that, in respect of this provision the Data Processor shall immediately inform the Councils if, in its opinion, an instruction infringes Data Protection Laws; 37.1.8. taking into account the nature of the processing, provide assistance to the Councils, within such timescales as the Councils may require from time to time, in connection with the fulfilment of the Councils’ obligation as Data Controller to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the GDPR to the extent applicable; 37.1.9. provide the Councils with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to the Councils, taking into account the nature of the processing and the information available to the Data Processor; 37.1.10. (at no additional cost to the Councils) deal promptly and properly with all enquiries or requests from the Councils relating to the Personal Data and the data processing activities, promptly provide to the Councils in such form as the Councils may request, a copy of any Personal Data requested by the Councils; 37.1.11. (at no additional cost to the Councils) assist the Councils (where requested by the Councils) in connection with any regulatory or law enforcement authority audit, investigation or enforcement action in respect of the Personal Data; 37.1. 12. immediately notify the Councils in writing about: 37.1.12.1. any Data Breach or any accidental loss, disclosure or unauthorised access of which the Data Processor becomes aware in respect of Personal Data that it processes on behalf of the Councils; 37.1.12.2. any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited); 37.1.12.3. any access request or complaint received directly from a data subject (without responding other than to acknowledge receipt).