Common use of Data Processor and Data Controller Clause in Contracts

Data Processor and Data Controller. ‌ 1.1 The parties agree that, for the Protected Data, the Customer shall be the Data Controller and the Company shall be the Data Processor. 1.2 The Company shall process Protected Data in compliance with: 1.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and 1.2.2 the terms of this Agreement. 1.3 The Customer shall comply with: 1.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 1.3.2 the terms of this Agreement. 1.4 The Customer warrants, represents and undertakes, that: 1.4.1 all data sourced by the Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; 1.4.2 all instructions given by it to the Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws; 1.4.3 it is satisfied that: (a) the Company's processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Company to process the Protected Data; and (b) the Company has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws. 1.5 The Customer shall not unreasonably withhold, delay or condition its agreement to any Change requested by the Company in order to ensure the Services and the Company (and each Sub- Processor) can comply with Data Protection Laws. 2 Instructions and details of processing‌ 2.1 Insofar as the Company processes Protected Data on behalf of the Customer, the Company: 2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 2 and 0 (Data processing details), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions); 2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and 2.1.3 shall inform the Customer if the Company becomes aware of a Processing Instruction that, in the Company’s opinion, infringes Data Protection Laws, provided that: (a) this shall be without prejudice to clauses 1.3 and 1.4; (b) to the maximum extent permitted by mandatory law, the Company shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information; and (c) this clause 2.1.3 shall only apply from the GDPR Date. 2.2 The processing of Protected Data to be carried out by the Company under this Agreement shall comprise the processing set out in 0 (Data processing details), as may be updated from time to time in accordance with the Change Control Procedure.

Data Processor and Data Controller. ‌ 1.1 The parties Parties agree that, for the Protected Data, the Customer shall be the Data Controller and the Company Service Provider shall be the Data Processor. 1.2 The Company Service Provider shall process Process Protected Data in compliance with: 1.2.1 the obligations of Data Processors under with Data Protection Laws in respect of the performance of its obligations under this Agreement; and 1.2.2 and the terms of this AgreementDPA. 1.3 The Customer shall comply withwarrants, represents and undertakes that: 1.3.1 it shall comply with all Data Protection Laws in connection with the processing Processing of Protected Data, the Services Data and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 1.3.2 the terms of this Agreement.DPA; 1.4 The Customer warrants, represents and undertakes, that: 1.4.1 1.3.2 all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by Service Provider for the performance of the Services under this DPA, shall comply in all respects, including in terms of its collection, storage and processing Processing, with Data Protection Laws (which shall include the Customer obtaining all consents necessarily required, providing all of the required fair processing notices and information to, to Data Subjects and obtaining all maintaining for the term of this DPA the necessary consents from, legal grounds for transferring the Protected Data Subjectsto Service Provider and allowing Service Provider to perform the Processing contemplated by this DPA), with Data Protection Laws; 1.4.2 1.3.3 all instructions given by it to the Company Service Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws; 1.4.3 1.3.4 it has undertaken due diligence in relation to Service Provider's Processing operations, and it is satisfied that: (a) the CompanyService Provider's processing Processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Company Service Provider to process Process the Protected Data; and (b) the Company Service Provider has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws; and 1.3.5 it shall notify the Service Provider in the event of any change to the nature of the Protected Data, including its type and the categories of the relevant Data Subjects. 1.5 1.4 The Customer shall not unreasonably withhold, delay or condition its agreement to any Change change requested by the Company Service Provider in order to ensure the Services and the Company Service Provider (and each Sub- Sub-Processor) can comply with Data Protection Laws. 2 Instructions and details of processing‌ 2.1 Insofar as the Company processes Protected Data on behalf of the Customer, the Company: 2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 2 and 0 (Data processing details), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions); 2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and 2.1.3 shall inform the Customer if the Company becomes aware of a Processing Instruction that, in the Company’s opinion, infringes Data Protection Laws, provided that: (a) this shall be without prejudice to clauses 1.3 and 1.4; (b) to the maximum extent permitted by mandatory law, the Company shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information; and (c) this clause 2.1.3 shall only apply from the GDPR Date. 2.2 The processing of Protected Data to be carried out by the Company under this Agreement shall comprise the processing set out in 0 (Data processing details), as may be updated from time to time in accordance with the Change Control Procedure.

Data Processor and Data Controller. ‌ 1.1 The parties Parties agree that, for the Protected Data, the Customer shall be the Data Controller and the Company Service Provider shall be the Data Processor. 1.2 The Company Service Provider shall process Process Protected Data in compliance with: 1.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this AgreementDPA; and 1.2.2 the terms of this AgreementDPA. 1.3 The Customer shall comply with: 1.3.1 all Data Protection Laws in connection with the processing Processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this AgreementDPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 1.3.2 the terms of this AgreementDPA. 1.4 The Customer Service Provider warrants, represents and undertakes, that: 1.4.1 all data sourced received by the Customer Service Provider for use in connection with the Services, prior to such data being provided to or accessed by Service Provider for the performance of the Services under this DPA, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects)Processing, with Data Protection Laws; 1.4.2 all instructions given by it to the Company Service Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws; 1.4.3 it is satisfied has undertaken due diligence in relation to Service Provider 's Processing operations, and the service provider must demonstrate that: (a) the CompanyThe Service Provider's processing Processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Company Service Provider to process Process the Protected Data; and (b) the Company The Service Provider has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.; 1.5 The Customer Service Provider shall not unreasonably withhold, delay or condition its agreement to any Change change requested by the Company Customer in order to ensure the Services and the Company Service Provider (and each Sub- Sub-Processor) can comply complies with Data Protection Laws. 2 Instructions and details of processing‌ 2.1 Insofar as the Company processes Protected Data on behalf of the Customer, the Company: 2.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 2 and 0 (Data processing details), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions); 2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and 2.1.3 shall inform the Customer if the Company becomes aware of a Processing Instruction that, in the Company’s opinion, infringes Data Protection Laws, provided that: (a) this shall be without prejudice to clauses 1.3 and 1.4; (b) to the maximum extent permitted by mandatory law, the Company shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information; and (c) this clause 2.1.3 shall only apply from the GDPR Date. 2.2 The processing of Protected Data to be carried out by the Company under this Agreement shall comprise the processing set out in 0 (Data processing details), as may be updated from time to time in accordance with the Change Control Procedure.