Common use of Data Processor Obligations Clause in Contracts

Data Processor Obligations. (A) To the extent that the Supplier Processes Personal Data under this Agreement as a Processor on behalf of the Client (as the Controller), then the Supplier shall: (1) only Process the Personal Data for and on behalf of the Client for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement and any documented instructions from the Client; (2) keep a record of any Processing of the Personal Data it carries out on behalf of the Client; (3) unless prohibited by law, notify the Client immediately (and in any event within 24 hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by law to act other than in accordance with the instructions of the Client, including where it believes that any of the Client’s instructions under paragraph 14.7(A)(1) infringe any Data Protection Legislation. (4) procure that appropriate technical and organisational measures are taken against unauthorised or unlawful Processing of such Personal Data and against accidental loss or destruction of, or damage to, such Personal Data, taking into account the nature of the Personal Data and which are at least sufficient to comply with the obligations imposed on the Client by the Security Requirements under Data Protection Legislation. Where requested by the Client, the Supplier shall provide to the Client evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request; (5) ensure that all such Personal Data shall be collected, processed and used fairly and lawfully and in accordance with Data Protection Legislation; (6) operate adequate security procedures, processes and systems to ensure that unauthorised persons do not have access to any equipment used to Process such Personal Data or to the Personal Data itself where possible access to Personal Data is restricted to the Account Manager for the Client; (7) ensure that any and all use of such Personal Data for marketing purposes shall comply with Data Protection Legislation and, with the provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003; (8) ensure that such Personal Data is not transferred to a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 45 (1) of the GDPR (as applicable) except with the prior written consent of the Client and in any event in accordance with Data Protection Legislation; (9) notify the Client promptly (and in any event within 48 hours) following its receipt of any Data Subject Access Request or ICO Correspondence and shall: (i) not disclose any Personal Data in response to any Data Subject Access Request or ICO Correspondence without first consulting with and obtaining the Client’s prior written consent; and (ii) render the Client will all such assistance as the Client may reasonably require to assist in relation to any such Data Subject Access Request or ICO Correspondence (10) ensure that any of its Personnel who shall have access to Personal Data shall have entered into appropriate contractually-binding confidentiality undertakings and shall comply with the provisions of this Clause as if they were a party to this Agreement; (11) within 30 calendar days of a request from the Client, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Client (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Clause 12, and provide reasonable information, assistance and co-operation to the Client, including access to relevant Personnel and/or, on the request of the Client, provide the Client with written evidence of its compliance with the requirements of this Clause 12; (12) not disclose Personal Data to a third party (including a sub-contractor) in any circumstances without the Client's prior written consent, save in relation to Third Party Requests where the Supplier is prohibited by law or regulation from notifying the Client, in which case it shall use reasonable endeavours to advise the Client in advance of such disclosure and in any event as soon as practicable thereafter; (13) not sub-contract the performance of any of its obligations under this Agreement without the prior written consent of the Client; (14) promptly comply with any request from the Client to amend, transfer or delete any Personal Data. Notwithstanding the foregoing, except to the extent required by any applicable law, upon the earlier of: (a) termination or expiry of this Agreement; and/or (b) the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Services, the Supplier shall cease Processing of all Personal Data and return and/or permanently and securely destroy the same so that it is no longer retrievable (as directed in writing by the Client), along with all copies in its possession or control; (15) notify the Client promptly (and in any event within 24 hours) upon becoming aware of any actual or suspected, threatened or ‘near miss’ Personal Data Breach in relation to the Personal Data (and follow-up in writing) and shall: (a) conduct or support the Supplier in conducting such investigations and analysis that the Supplier reasonably requires in respect of such Personal Data Breach; (b) implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and (c) assist the Client to make any notifications to the ICO and affected Data Subjects; (16) comply with the obligations imposed upon a Processor under Data Protection Legislation; (17) respond to any request for support, information or action required by the Client within such timescales as notified to it by the Client and where no such timescale is provided respond promptly to ensure that the Client meets its duties under Data Protection Legislation in a timely manner.