{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "with-respect-to", "type": "clause", "offset": [0, 15]}, {"key": "rights-and-obligations", "type": "definition", "offset": [29, 51]}, {"key": "the-parties-agree-that", "type": "clause", "offset": [83, 105]}, {"key": "the-data-controller", "type": "definition", "offset": [121, 140]}, {"key": "data-processor", "type": "clause", "offset": [178, 192]}, {"key": "description-of-the", "type": "definition", "offset": [196, 214]}, {"key": "personal-data-processed", "type": "clause", "offset": [215, 238]}, {"key": "by-the-service-provider", "type": "clause", "offset": [239, 262]}, {"key": "set-out", "type": "definition", "offset": [331, 338]}, {"key": "data-processing-activities", "type": "clause", "offset": [346, 372]}, {"key": "clause-19", "type": "definition", "offset": [384, 393]}, {"key": "in-respect-of", "type": "clause", "offset": [399, 412]}, {"key": "in-connection-with", "type": "clause", "offset": [488, 506]}, {"key": "the-service-provider-shall", "type": "clause", "offset": [532, 558]}, {"key": "for-the-purposes-of", "type": "clause", "offset": [649, 668]}, {"key": "in-compliance-with", "type": "definition", "offset": [730, 748]}, {"key": "written-instructions", "type": "definition", "offset": [763, 783]}, {"key": "from-time-to-time", "type": "clause", "offset": [846, 863]}, {"key": "in-writing", "type": "definition", "offset": [864, 874]}, {"key": "by-the-council", "type": "clause", "offset": [875, 889]}, {"key": "notify-the", "type": "clause", "offset": [898, 908]}, {"key": "relating-to", "type": "definition", "offset": [964, 975]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [976, 1007]}, {"key": "transfer-to", "type": "definition", "offset": [1033, 1044]}, {"key": "the-united-kingdom", "type": "clause", "offset": [1099, 1117]}, {"key": "consent-of-the-council", "type": "definition", "offset": [1144, 1166]}, {"key": "comply-with-the", "type": "clause", "offset": [1175, 1190]}, {"key": "in-relation-to", "type": "clause", "offset": [1214, 1228]}, {"key": "transfers-of-personal-data", "type": "clause", "offset": [1229, 1255]}, {"key": "pursuant-to-applicable", "type": "clause", "offset": [1339, 1361]}, {"key": "to-transfer", "type": "clause", "offset": [1367, 1378]}, {"key": "the-relevant", "type": "clause", "offset": [1495, 1507]}, {"key": "legal-requirement", "type": "definition", "offset": [1508, 1525]}, {"key": "relevant-law", "type": "definition", "offset": [1569, 1581]}, {"key": "public-interest", "type": "clause", "offset": [1634, 1649]}, {"key": "reasonable-steps", "type": "definition", "offset": [1663, 1679]}, {"key": "to-ensure", "type": "clause", "offset": [1680, 1689]}, {"key": "all-staff", "type": "definition", "offset": [1772, 1781]}, {"key": "process-personal-data", "type": "definition", "offset": [1814, 1835]}, {"key": "subject-to", "type": "definition", "offset": [1840, 1850]}, {"key": "obligations-of-confidentiality", "type": "clause", "offset": [1867, 1897]}, {"key": "third-party", "type": "clause", "offset": [2049, 2060]}, {"key": "contractor-to", "type": "clause", "offset": [2139, 2152]}, {"key": "provided-that", "type": "clause", "offset": [2244, 2257]}, {"key": "the-obligations", "type": "clause", "offset": [2503, 2518]}, {"key": "in-this-clause", "type": "clause", "offset": [2527, 2541]}, {"key": "provider-agreements", "type": "definition", "offset": [2565, 2584]}, {"key": "processing-personal-data", "type": "clause", "offset": [2655, 2679]}, {"key": "in-accordance-with", "type": "definition", "offset": [2707, 2725]}, {"key": "appropriate-technical-and-organisational-measures", "type": "clause", "offset": [2746, 2795]}, {"key": "loss-or-destruction", "type": "clause", "offset": [2880, 2899]}, {"key": "destruction-or-damage", "type": "clause", "offset": [3032, 3053]}, {"key": "the-nature", "type": "clause", "offset": [3058, 3068]}, {"key": "be-protected", "type": "clause", "offset": [3093, 3105]}, {"key": "including-without-limitation", "type": "clause", "offset": [3106, 3134]}, {"key": "compliance-with-the-data-protection-legislation", "type": "clause", "offset": [3185, 3232]}, {"key": "provide-a", "type": "definition", "offset": [3255, 3264]}, {"key": "written-description", "type": "clause", "offset": [3265, 3284]}, {"key": "the-technical", "type": "clause", "offset": [3288, 3301]}, {"key": "employed-by", "type": "definition", "offset": [3330, 3341]}, {"key": "required-by", "type": "definition", "offset": [3386, 3397]}, {"key": "additional-measures", "type": "clause", "offset": [3554, 3573]}, {"key": "acting-reasonably", "type": "clause", "offset": [3610, 3627]}, {"key": "nature-of-the-data", "type": "clause", "offset": [3683, 3701]}, {"key": "at-no-cost", "type": "definition", "offset": [3769, 3779]}, {"key": "in-place", "type": "clause", "offset": [3875, 3883]}, {"key": "respond-to-requests-from-individuals", "type": "clause", "offset": [3986, 4022]}, {"key": "working-days", "type": "definition", "offset": [4163, 4175]}, {"key": "complying-with", "type": "clause", "offset": [4293, 4307]}, {"key": "notices-to", "type": "definition", "offset": [4479, 4489]}, {"key": "data-subjects", "type": "definition", "offset": [4490, 4503]}, {"key": "access-to-personal-data", "type": "clause", "offset": [4641, 4664]}, {"key": "record-of", "type": "clause", "offset": [4819, 4828]}, {"key": "requirements-of-the", "type": "clause", "offset": [4897, 4916]}, {"key": "assist-the", "type": "clause", "offset": [4954, 4964]}, {"key": "ensuring-compliance", "type": "clause", "offset": [5004, 5023]}, {"key": "the-gdpr", "type": "definition", "offset": [5089, 5097]}, {"key": "subsequent-legislation", "type": "clause", "offset": [5146, 5168]}, {"key": "available-to", "type": "definition", "offset": [5279, 5291]}, {"key": "assistance-upon-request", "type": "clause", "offset": [5382, 5405]}, {"key": "data-security-breaches", "type": "clause", "offset": [5438, 5460]}, {"key": "information-commissioner", "type": "definition", "offset": [5468, 5492]}, {"key": "affected-individuals", "type": "definition", "offset": [5505, 5525]}, {"key": "data-protection-impact-assessments", "type": "clause", "offset": [5679, 5713]}, {"key": "measures-to", "type": "clause", "offset": [5857, 5868]}, {"key": "meets-the-requirements", "type": "definition", "offset": [5988, 6010]}, {"key": "rights-of-individuals", "type": "clause", "offset": [6076, 6097]}, {"key": "by-or-on-behalf-of", "type": "definition", "offset": [6299, 6317]}, {"key": "breach-of-security", "type": "definition", "offset": [6349, 6367]}, {"key": "disclosure-of", "type": "clause", "offset": [6450, 6463]}, {"key": "data-security-breach-notification", "type": "clause", "offset": [6611, 6644]}, {"key": "notice-or-communication", "type": "clause", "offset": [6657, 6680]}, {"key": "directly-or-indirectly", "type": "clause", "offset": [6695, 6717]}, {"key": "processing-of-the-personal-data", "type": "clause", "offset": [6725, 6756]}, {"key": "either-party", "type": "clause", "offset": [6763, 6775]}, {"key": "each-case", "type": "definition", "offset": [6834, 6843]}, {"key": "assistance-to-the", "type": "clause", "offset": [6914, 6931]}, {"key": "termination-of-this", "type": "clause", "offset": [7055, 7074]}, {"key": "all-personal-data", "type": "definition", "offset": [7173, 7190]}, {"key": "copies-of-the", "type": "clause", "offset": [7230, 7243]}, {"key": "to-the-extent", "type": "clause", "offset": [7269, 7282]}, {"key": "with-applicable-laws", "type": "clause", "offset": [7373, 7393]}, {"key": "make-available", "type": "definition", "offset": [7397, 7411]}, {"key": "all-information", "type": "clause", "offset": [7453, 7468]}, {"key": "demonstrate-compliance", "type": "clause", "offset": [7482, 7504]}, {"key": "access-to-the-service", "type": "clause", "offset": [7649, 7670]}, {"key": "records-and-personnel", "type": "clause", "offset": [7692, 7713]}, {"key": "under-clause", "type": "clause", "offset": [7799, 7811]}, {"key": "all-costs", "type": "definition", "offset": [7858, 7867]}, {"key": "professional-fees-and-expenses", "type": "definition", "offset": [7905, 7935]}, {"key": "other-liabilities", "type": "definition", "offset": [7958, 7975]}, {"key": "arising-out-of", "type": "definition", "offset": [8080, 8094]}, {"key": "breach-by", "type": "clause", "offset": [8121, 8130]}, {"key": "for-the-avoidance-of-doubt", "type": "clause", "offset": [8190, 8216]}, {"key": "documentary-evidence", "type": "clause", "offset": [8244, 8264]}, {"key": "the-provisions-of-this", "type": "clause", "offset": [8375, 8397]}, {"key": "of-the-provider", "type": "clause", "offset": [8440, 8455]}, {"key": "expiry-or-termination", "type": "clause", "offset": [8493, 8514]}], "snippet": "With respect to the Parties\u2019 rights and obligations under this Provider Agreement, the Parties agree that the Council is the Data Controller and that the Service Provider is the Data Processor. A description of the Personal Data processed by the Service Provider and the processing activities undertaken by the Service Provider is set out in the Data Processing Activities set out in clause 19.1. \u2022 In respect of Personal Data that the Service Provider processes on behalf of the Council in connection with this Provider Agreement, the Service Provider shall and shall procure that its representatives shall:\n19.3.1 solely process the Personal Data for the purposes of fulfilling its obligations under this Provider Agreement and in compliance with the Council\u2019s written instructions as set out in this Provider Agreement and as may be specified from time to time in writing by the Council;\n19.3.2 notify the Council immediately if any instructions of the Council relating to the processing of Personal Data are unlawful;\n19.3.3 not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of the Council;\n19.3.4 comply with the Council\u2019s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Service Provider is required pursuant to applicable laws to transfer Personal Data outside the United Kingdom, in which case the Service Provider shall inform the Council in writing of the relevant legal requirement before any such transfer occurs unless the relevant law prohibits such notification on important grounds of public interest;\n19.3.5 take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data and ensure that all Staff used by the Service Provider to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data;\n19.3.6 ensure that none of the Service Provider\u2019s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council;\n19.3.7 not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of the Council provided that notwithstanding any such consent the Service Provider shall remain liable for compliance with all the requirements of this Provider Agreement including in relation to the processing of Personal Data;\n19.3.8 ensure that obligations equivalent to the obligations set out in this clause 19 are included in all Provider Agreements between the Service Provider and permitted sub-contractor who will be processing Personal Data and who have been approved in accordance with clause;\n19.3.9 take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the Data Protection Legislation;\n19.3.10 upon request provide a written description of the technical and organisational measures employed by the Service Provider (within the timescales required by the Council) and if the Council does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, implement such additional measures as may be specified by the Council (acting reasonably) to ensure compliance;\n19.3.11 taking into account the nature of the data processing activities undertaken by the Service Provider, provide, at no cost to the Council, all possible assistance and co-operation (including without limitation putting in place appropriate technical and organisational measures) to enable the Council to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation):\n19.3.12 notifying the Council within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation;\n19.3.13 complying with the Council\u2019s instructions in relation to complying with the Data Subject\u2019s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Council;\n19.3.14 maintain a record of the Service Provider\u2019s processing activities in accordance with the requirements of the Data Protection Legislation;\n19.3.15 assist the Council, at no cost to the Council, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Service Provider and the information available to the Service Provider, including (without limitation):\n19.3.15.1 providing information and assistance upon request to enable the Council to notify Data Security Breaches to the Information Commissioner\u2019s and/or to affected individuals and/or to any other regulators to whom the Council is required to notify any Data Security Breaches; and\n19.3.15.2 providing input into and carrying out Data Protection Impact Assessments in relation to the Service Provider\u2019s data processing activities;\n19.3.16 ensure that it has in place appropriate technical and organisational measures to ensure that processing of Personal Data carried out by the Service Provider in connection with this Provider Agreement meets the requirements of the Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation;\n19.3.17 notify the Council immediately and in any event within twenty-four (24) hours in writing if:\n19.3.17.1 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or\n19.3.17.2 the Service Provider or any sub-contractor engaged by or on behalf of the Service Provider receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party\u2019s compliance with the Data Protection Legislation, and in each case the Service Provider shall provide full co-operation, information and assistance to the Council in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Council; \u2022 upon termination of this Provider Agreement, at the discretion of and at no cost to the Council, delete securely or return all Personal Data to the Council and delete all existing copies of the Personal Data unless and to the extent that the Service Provider is required to retain copies of the Personal Data in accordance with applicable laws. \u2022 make available to the Council at no cost to the Council all information necessary to demonstrate compliance with the obligations set out in this clause and, upon request, allow the Council, the Information Commissioner\u2019s Office and its representatives access to the Service Provider\u2019s Premises, records and Personnel for the purposes of assessing the Service Provider\u2019s compliance with its obligations under clause; and \u2022 indemnify the Council from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by the Council and arising out of or in connection with any breach by the Service Provider or any sub-contractor of this clause. For the avoidance of doubt, the Council shall provide documentary evidence to the Service Provider before it can make a claim under this clause in relation to any third-party action. \u2022 The provisions of this clause shall apply during the continuance of the Provider Agreement and indefinitely after its expiry or termination.", "samples": [{"hash": "7Wwo6DLJUJg", "uri": "/contracts/7Wwo6DLJUJg#data-processor-obligations", "label": "Provider Agreement", "score": 32.9305381775, "published": true}, {"hash": "cqWni5oCWVl", "uri": "/contracts/cqWni5oCWVl#data-processor-obligations", "label": "Provider Agreement", "score": 32.7013702393, "published": true}, {"hash": "9T4LCwUgQUy", "uri": "/contracts/9T4LCwUgQUy#data-processor-obligations", "label": "Provider Agreement", "score": 25.7118415833, "published": true}], "size": 11, "hash": "28d42892abf4e71e9b3eab17bcd3719f", "id": 1}, {"snippet_links": [{"key": "in-connection-with", "type": "clause", "offset": [51, 69]}, {"key": "data-processing-purposes", "type": "clause", "offset": [78, 102]}, {"key": "process-personal-data", "type": "definition", "offset": [112, 133]}, {"key": "on-behalf-of", "type": "definition", "offset": [134, 146]}, {"key": "in-accordance-with", "type": "definition", "offset": [245, 263]}, {"key": "technical-and-organisational-security-measures", "type": "clause", "offset": [329, 375]}, {"key": "processing-of-personal-data", "type": "clause", "offset": [409, 436]}, {"key": "loss-or-destruction", "type": "clause", "offset": [460, 479]}, {"key": "state-of", "type": "clause", "offset": [543, 551]}, {"key": "costs-of", "type": "definition", "offset": [586, 594]}, {"key": "destruction-or-damage", "type": "clause", "offset": [760, 781]}, {"key": "nature-of-the", "type": "clause", "offset": [790, 803]}, {"key": "be-protected", "type": "clause", "offset": [821, 833]}, {"key": "the-security", "type": "clause", "offset": [857, 869]}, {"key": "set-out", "type": "definition", "offset": [879, 886]}, {"key": "appendix-1", "type": "clause", "offset": [890, 900]}, {"key": "access-to-the", "type": "clause", "offset": [935, 948]}, {"key": "reasonable-notice", "type": "clause", "offset": [1022, 1039]}, {"key": "the-technical", "type": "clause", "offset": [1050, 1063]}, {"key": "to-ensure", "type": "clause", "offset": [1116, 1125]}, {"key": "data-security-obligations", "type": "definition", "offset": [1161, 1186]}, {"key": "notify-the", "type": "clause", "offset": [1206, 1216]}, {"key": "data-security-breach", "type": "clause", "offset": [1284, 1304]}, {"key": "provide-the", "type": "clause", "offset": [1332, 1343]}, {"key": "to-mitigate", "type": "definition", "offset": [1420, 1431]}, {"key": "in-the-event-of", "type": "definition", "offset": [1510, 1525]}, {"key": "data-subject-access-request", "type": "definition", "offset": [1538, 1565]}, {"key": "the-provisions-of-the", "type": "clause", "offset": [1729, 1750]}, {"key": "where-personal-data", "type": "clause", "offset": [1807, 1826]}, {"key": "no-personal-data", "type": "clause", "offset": [1932, 1948]}, {"key": "european-economic-area", "type": "clause", "offset": [1985, 2007]}, {"key": "consent-of-the", "type": "clause", "offset": [2083, 2097]}, {"key": "terms-and-conditions", "type": "definition", "offset": [2138, 2158]}, {"key": "without-limitation", "type": "clause", "offset": [2170, 2188]}, {"key": "model-clauses", "type": "definition", "offset": [2242, 2255]}, {"key": "approved-by", "type": "clause", "offset": [2268, 2279]}, {"key": "the-european-commission", "type": "clause", "offset": [2280, 2303]}, {"key": "where-relevant", "type": "clause", "offset": [2309, 2323]}, {"key": "provisions-regarding", "type": "clause", "offset": [2343, 2363]}, {"key": "contained-in", "type": "definition", "offset": [2379, 2391]}, {"key": "model-contracts", "type": "definition", "offset": [2397, 2412]}, {"key": "in-respect-of", "type": "clause", "offset": [2413, 2426]}, {"key": "subject-to-the-provisions-of-clause", "type": "clause", "offset": [2451, 2486]}, {"key": "processing-personal-data", "type": "clause", "offset": [2535, 2559]}, {"key": "written-contract", "type": "clause", "offset": [2610, 2626]}, {"key": "relevant-subcontractor", "type": "definition", "offset": [2654, 2676]}, {"key": "in-this-clause", "type": "clause", "offset": [2731, 2745]}, {"key": "personal-data-processed", "type": "clause", "offset": [2878, 2901]}, {"key": "own-cost", "type": "clause", "offset": [3033, 3041]}, {"key": "processing-of-the-personal-data", "type": "clause", "offset": [3119, 3150]}, {"key": "and-expenses", "type": "clause", "offset": [3273, 3285]}, {"key": "breach-of-contract", "type": "definition", "offset": [3372, 3390]}, {"key": "prior-consent", "type": "definition", "offset": [3533, 3546]}, {"key": "the-parties-acknowledge-and-agree-that", "type": "clause", "offset": [3661, 3699]}, {"key": "amendment-to-this-agreement", "type": "clause", "offset": [3704, 3731]}, {"key": "section-1", "type": "definition", "offset": [3760, 3769]}, {"key": "the-code", "type": "clause", "offset": [3781, 3789]}, {"key": "notwithstanding-clause", "type": "clause", "offset": [6892, 6914]}], "snippet": "4.1 GNI acknowledges that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data on behalf of the Shipper. In such circumstances GNI agrees:\n(a) that it will process such personal data solely in accordance with the instructions of the Shipper;\n(b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement;\n(c) to provide access to the Shipper (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPA;\n(d) to notify the Shipper as soon as reasonably practicable on becoming aware of any data security breach actual or suspected and to provide the Shipper with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;\n(e) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA;\n(f) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors;\n(g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper;\n(h) to promptly inform the Shipper if:-\n(a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or\n(b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data processed on behalf of the Shipper.\n(i) GNI will indemnify the Shipper fully against all losses, damages, claims, demands and expenses suffered by the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees\u2019 obligations under this clause 4.1.\n4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes.\n4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications).\n4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees:\n(a) that it will process such personal data solely in accordance with the instructions of GNI;\n(b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement;\n(c) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPA;\n(d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;\n(e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA;\n(f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors;\n(g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI;\n(h) to promptly inform GNI if:-\n(a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or\n(b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.\n(i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees\u2019 obligations under this clause 4.3 on the part of the Shipper or its directors or employees.\n4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.", "samples": [{"hash": "HbG2HB9FI7", "uri": "/contracts/HbG2HB9FI7#data-processor-obligations", "label": "Data Processor Agreement", "score": 24.4017791748, "published": true}], "size": 10, "hash": "4cbd06374cd7307bb352445821366680", "id": 2}, {"snippet_links": [{"key": "the-contractor-shall", "type": "clause", "offset": [0, 20]}, {"key": "contract-workers", "type": "clause", "offset": [48, 64]}, {"key": "appropriate-technical-and-organisational-measures", "type": "clause", "offset": [110, 159]}, {"key": "protection-of-personal-data", "type": "clause", "offset": [179, 206]}, {"key": "to-ensure", "type": "clause", "offset": [208, 217]}, {"key": "the-rights-of-data-subjects", "type": "clause", "offset": [218, 245]}, {"key": "the-general-data-protection-regulation", "type": "clause", "offset": [320, 358]}, {"key": "employees-and-subcontractors", "type": "clause", "offset": [379, 407]}, {"key": "process-personal-data", "type": "definition", "offset": [422, 443]}, {"key": "subject-to", "type": "definition", "offset": [448, 458]}, {"key": "confidentiality-obligations", "type": "clause", "offset": [467, 494]}, {"key": "in-respect-of", "type": "clause", "offset": [495, 508]}, {"key": "assist-the", "type": "clause", "offset": [532, 542]}, {"key": "respond-to", "type": "clause", "offset": [614, 624]}, {"key": "requests-from-data-subjects", "type": "clause", "offset": [625, 652]}, {"key": "requests-for-information", "type": "definition", "offset": [663, 687]}, {"key": "and-amendments", "type": "clause", "offset": [711, 725]}, {"key": "of-information", "type": "definition", "offset": [726, 740]}, {"key": "transfer-of-data", "type": "clause", "offset": [762, 778]}, {"key": "compliance-with", "type": "clause", "offset": [816, 831]}, {"key": "data-breach-notification", "type": "clause", "offset": [846, 870]}, {"key": "impact-assessment", "type": "clause", "offset": [872, 889]}, {"key": "consultation-obligations", "type": "clause", "offset": [894, 918]}, {"key": "nature-of-processing", "type": "clause", "offset": [978, 998]}, {"key": "available-to", "type": "definition", "offset": [1015, 1027]}, {"key": "data-processor", "type": "clause", "offset": [1032, 1046]}, {"key": "delete-or-return", "type": "clause", "offset": [1080, 1096]}, {"key": "all-personal-data", "type": "definition", "offset": [1097, 1114]}, {"key": "copies-to", "type": "clause", "offset": [1128, 1137]}, {"key": "make-available", "type": "definition", "offset": [1249, 1263]}, {"key": "all-information", "type": "clause", "offset": [1281, 1296]}, {"key": "audits-and-inspections", "type": "clause", "offset": [1340, 1362]}, {"key": "obligations-under-this-agreement", "type": "clause", "offset": [1483, 1515]}, {"key": "given-by-the-purchaser", "type": "clause", "offset": [1606, 1628]}, {"key": "record-of", "type": "clause", "offset": [1712, 1721]}, {"key": "activities-under", "type": "clause", "offset": [1737, 1753]}, {"key": "activities-carried", "type": "clause", "offset": [1809, 1827]}, {"key": "on-behalf-of", "type": "definition", "offset": [1832, 1844]}, {"key": "the-data-protection-legislation", "type": "definition", "offset": [1895, 1926]}, {"key": "on-request", "type": "clause", "offset": [1941, 1951]}, {"key": "european-union", "type": "definition", "offset": [1970, 1984]}, {"key": "state-supervisory-authority", "type": "definition", "offset": [1995, 2022]}, {"key": "notify-the", "type": "clause", "offset": [2027, 2037]}, {"key": "without-undue-delay", "type": "definition", "offset": [2048, 2067]}, {"key": "breach-of-personal-data", "type": "clause", "offset": [2094, 2117]}, {"key": "the-gdpr", "type": "definition", "offset": [2197, 2205]}, {"key": "data-protection-law", "type": "definition", "offset": [2215, 2234]}, {"key": "the-eu", "type": "clause", "offset": [2238, 2244]}, {"key": "a-member", "type": "definition", "offset": [2248, 2256]}, {"key": "further-action", "type": "clause", "offset": [2276, 2290]}, {"key": "further-documents", "type": "clause", "offset": [2307, 2324]}, {"key": "amendments-to-this-contract", "type": "clause", "offset": [2329, 2356]}, {"key": "comply-with", "type": "definition", "offset": [2419, 2430]}, {"key": "in-accordance-with", "type": "definition", "offset": [2490, 2508]}, {"key": "documented-instructions", "type": "definition", "offset": [2525, 2548]}, {"key": "consistent-with", "type": "definition", "offset": [2549, 2564]}, {"key": "scope-of-this-contract", "type": "clause", "offset": [2576, 2598]}, {"key": "applicable-law", "type": "definition", "offset": [2628, 2642]}, {"key": "legal-requirement", "type": "definition", "offset": [2712, 2729]}, {"key": "prohibited-by-law", "type": "clause", "offset": [2737, 2754]}, {"key": "public-interest", "type": "clause", "offset": [2779, 2794]}, {"key": "specific-processing", "type": "clause", "offset": [2843, 2862]}, {"key": "general-written-authorisation", "type": "definition", "offset": [2897, 2926]}, {"key": "other-processor", "type": "definition", "offset": [2965, 2980]}, {"key": "written-contract", "type": "clause", "offset": [2997, 3013]}, {"key": "data-protection-obligations", "type": "definition", "offset": [3056, 3083]}, {"key": "in-this-contract", "type": "clause", "offset": [3121, 3137]}, {"key": "european-economic-area", "type": "clause", "offset": [3192, 3214]}, {"key": "consent-of-the-purchaser", "type": "clause", "offset": [3253, 3277]}, {"key": "the-processor", "type": "definition", "offset": [3324, 3337]}, {"key": "responsibilities-and-liabilities", "type": "clause", "offset": [3356, 3388]}], "snippet": "The Contractor shall (and shall ensure that its Contract Workers and agents shall):\na) implement and maintain appropriate technical and organisational measures and safeguards for protection of personal data, to ensure the rights of data subjects are protected and to ensure that processing will meet the requirements of the General Data Protection Regulation;\nb) ensure that all employees and subcontractors authorised to process personal data are subject to binding confidentiality obligations in respect of that personal data;\nc) assist the Purchaser, using appropriate technical and organisational measures, to respond to requests from data subjects including requests for information, requests for deletion and amendments of information and requests for the transfer of data;\nd) assist the Purchaser in ensuring compliance with its security, data breach notification, impact assessment and consultation obligations under Data Protection Legislation, taking into account the nature of processing and information available to the data processor;\ne) at the Purchaser\u2019s election, delete or return all personal data and existing copies to the Purchaser (unless Data Protection Legislation requires the data processor to store that personal data);\nf) make available to the Purchaser all information necessary, and allow for and contribute to audits and inspections conducted by the Purchaser or the Purchaser\u2019s mandated auditor, to demonstrate the data processor\u2019s compliance with its obligations under this agreement;\ng) immediately inform the Purchaser if, in the data processor\u2019s opinion, any instruction given by the Purchaser to the data processor infringes Data Protection Legislation;\nh) maintain a written record of all processing activities under its responsibility and of all categories of processing activities carried out on behalf of the Purchaser, that satisfies the requirements of the Data Protection Legislation;\ni) cooperate on request with any relevant European Union or member state supervisory authority;\nj) notify the Purchaser without undue delay after becoming aware of a breach of personal data and notify the Purchaser immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state;\nk) take any further action and execute any further documents and amendments to this Contract as may, in the Purchaser\u2019s reasonable opinion, be required to comply with Data Protection Legislation;\nl) only process personal data in accordance with the Purchaser\u2019s documented instructions consistent with and in the scope of this Contract (unless required to do so by applicable law, in which case the data processor shall inform the Purchaser of that legal requirement unless prohibited by law on important grounds of public interest);\nm) only engage another processor to carry out specific processing activities with prior specific or general written authorisation of the Purchaser, and only where that other processor is subject to a written contract imposing on that other processor the same data protection obligations as are imposed on the data processor in this Contract;\nn) not process or transfer personal data outside the European Economic Area except with the express prior written consent of the Purchaser; and\no) nothing within this Contract relieves the processor of its own direct responsibilities and liabilities under the GDPR.", "samples": [{"hash": "cKcHLCeX2zb", "uri": "/contracts/cKcHLCeX2zb#data-processor-obligations", "label": "Supply of Goods and Services Agreement", "score": 28.2057666779, "published": true}, {"hash": "a33puv8jD5w", "uri": "/contracts/a33puv8jD5w#data-processor-obligations", "label": "Supply of Goods and Services Agreement", "score": 27.8663330078, "published": true}, {"hash": "9nZ1ppaZDN3", "uri": "/contracts/9nZ1ppaZDN3#data-processor-obligations", "label": "Supply Agreement", "score": 24.315536499, "published": true}], "size": 8, "hash": "7a1cc1d71119421233241fdc60fe88ee", "id": 3}, {"snippet_links": [{"key": "the-controller", "type": "clause", "offset": [124, 138]}, {"key": "the-supplier-shall", "type": "clause", "offset": [146, 164]}, {"key": "for-and-on-behalf-of", "type": "clause", "offset": [201, 221]}, {"key": "for-the-purposes-of", "type": "clause", "offset": [233, 252]}, {"key": "obligations-under-this-agreement", "type": "clause", "offset": [268, 300]}, {"key": "in-accordance-with", "type": "definition", "offset": [311, 329]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [334, 357]}, {"key": "documented-instructions", "type": "definition", "offset": [366, 389]}, {"key": "record-of", "type": "clause", "offset": [418, 427]}, {"key": "processing-of-the-personal-data", "type": "clause", "offset": [432, 463]}, {"key": "prohibited-by-law", "type": "clause", "offset": [515, 532]}, {"key": "notify-the", "type": "clause", "offset": [534, 544]}, {"key": "hours-of", "type": "clause", "offset": [592, 600]}, {"key": "acting-reasonably", "type": "clause", "offset": [662, 679]}, {"key": "required-by-law", "type": "definition", "offset": [692, 707]}, {"key": "to-act", "type": "definition", "offset": [708, 714]}, {"key": "data-protection-legislation", "type": "clause", "offset": [883, 910]}, {"key": "appropriate-technical-and-organisational-measures", "type": "clause", "offset": [929, 978]}, {"key": "loss-or-destruction", "type": "clause", "offset": [1078, 1097]}, {"key": "nature-of-the", "type": "clause", "offset": [1160, 1173]}, {"key": "the-obligations", "type": "clause", "offset": [1237, 1252]}, {"key": "security-requirements", "type": "definition", "offset": [1282, 1303]}, {"key": "by-the-client", "type": "clause", "offset": [1355, 1368]}, {"key": "to-the-client", "type": "clause", "offset": [1397, 1410]}, {"key": "evidence-of", "type": "definition", "offset": [1411, 1422]}, {"key": "the-request", "type": "clause", "offset": [1507, 1518]}, {"key": "security-procedures", "type": "definition", "offset": [1691, 1710]}, {"key": "to-ensure", "type": "clause", "offset": [1734, 1743]}, {"key": "unauthorised-persons", "type": "definition", "offset": [1749, 1769]}, {"key": "equipment-used", "type": "clause", "offset": [1796, 1810]}, {"key": "access-to-personal-data", "type": "clause", "offset": [1887, 1910]}, {"key": "account-manager", "type": "clause", "offset": [1932, 1947]}, {"key": "marketing-purposes", "type": "clause", "offset": [2022, 2040]}, {"key": "the-provisions-of-the", "type": "clause", "offset": [2097, 2118]}, {"key": "privacy-and", "type": "definition", "offset": [2119, 2130]}, {"key": "electronic-communications", "type": "definition", "offset": [2131, 2156]}, {"key": "ec-directive", "type": "definition", "offset": [2158, 2170]}, {"key": "european-economic-area", "type": "clause", "offset": [2299, 2321]}, {"key": "eu-commission", "type": "definition", "offset": [2332, 2345]}, {"key": "to-provide", "type": "clause", "offset": [2361, 2371]}, {"key": "adequate-protection", "type": "clause", "offset": [2372, 2391]}, {"key": "the-gdpr", "type": "definition", "offset": [2429, 2437]}, {"key": "consent-of-the", "type": "clause", "offset": [2484, 2498]}, {"key": "receipt-of", "type": "clause", "offset": [2651, 2661]}, {"key": "data-subject-access-request", "type": "definition", "offset": [2666, 2693]}, {"key": "ico-correspondence", "type": "definition", "offset": [2697, 2715]}, {"key": "the-client-will", "type": "clause", "offset": [2927, 2942]}, {"key": "to-assist", "type": "clause", "offset": [3000, 3009]}, {"key": "in-relation-to", "type": "clause", "offset": [3010, 3024]}, {"key": "entered-into", "type": "clause", "offset": [3172, 3184]}, {"key": "confidentiality-undertakings", "type": "clause", "offset": [3219, 3247]}, {"key": "this-clause", "type": "clause", "offset": [3288, 3299]}, {"key": "party-to-this-agreement", "type": "definition", "offset": [3318, 3341]}, {"key": "calendar-days", "type": "definition", "offset": [3358, 3371]}, {"key": "data-processing-facilities", "type": "clause", "offset": [3412, 3438]}, {"key": "documentation-to-be-submitted", "type": "clause", "offset": [3455, 3484]}, {"key": "inspection-or-audit", "type": "clause", "offset": [3499, 3518]}, {"key": "in-order-to", "type": "clause", "offset": [3597, 3608]}, {"key": "compliance-with-the-terms", "type": "clause", "offset": [3619, 3644]}, {"key": "clause-12", "type": "definition", "offset": [3653, 3662]}, {"key": "reasonable-information", "type": "definition", "offset": [3676, 3698]}, {"key": "relevant-personnel", "type": "definition", "offset": [3763, 3781]}, {"key": "provide-the", "type": "clause", "offset": [3820, 3831]}, {"key": "written-evidence", "type": "clause", "offset": [3844, 3860]}, {"key": "the-requirements", "type": "clause", "offset": [3884, 3900]}, {"key": "a-third-party", "type": "clause", "offset": [3955, 3968]}, {"key": "third-party-requests", "type": "clause", "offset": [4083, 4103]}, {"key": "where-the-supplier", "type": "clause", "offset": [4104, 4122]}, {"key": "law-or-regulation", "type": "definition", "offset": [4140, 4157]}, {"key": "reasonable-endeavours", "type": "definition", "offset": [4212, 4233]}, {"key": "to-advise", "type": "definition", "offset": [4234, 4243]}, {"key": "in-advance", "type": "clause", "offset": [4255, 4265]}, {"key": "as-soon-as-practicable", "type": "definition", "offset": [4302, 4324]}, {"key": "the-performance", "type": "clause", "offset": [4359, 4374]}, {"key": "to-amend", "type": "definition", "offset": [4525, 4533]}, {"key": "notwithstanding-the-foregoing", "type": "clause", "offset": [4573, 4602]}, {"key": "except-to-the-extent", "type": "clause", "offset": [4604, 4624]}, {"key": "applicable-law", "type": "definition", "offset": [4641, 4655]}, {"key": "termination-or-expiry-of-this-agreement", "type": "clause", "offset": [4682, 4721]}, {"key": "necessary-for", "type": "definition", "offset": [4799, 4812]}, {"key": "performance-of-the-services", "type": "clause", "offset": [4818, 4845]}, {"key": "all-personal-data", "type": "definition", "offset": [4886, 4903]}, {"key": "securely-destroy", "type": "definition", "offset": [4938, 4954]}, {"key": "as-directed", "type": "clause", "offset": [5001, 5012]}, {"key": "in-writing", "type": "definition", "offset": [5013, 5023]}, {"key": "possession-or-control", "type": "definition", "offset": [5069, 5090]}, {"key": "personal-data-breach", "type": "definition", "offset": [5233, 5253]}, {"key": "in-respect-of", "type": "clause", "offset": [5446, 5459]}, {"key": "remedial-measures", "type": "clause", "offset": [5516, 5533]}, {"key": "security-of", "type": "clause", "offset": [5559, 5570]}, {"key": "assist-the", "type": "clause", "offset": [5606, 5616]}, {"key": "the-ico", "type": "clause", "offset": [5653, 5660]}, {"key": "data-subjects", "type": "definition", "offset": [5674, 5687]}, {"key": "respond-to", "type": "clause", "offset": [5787, 5797]}, {"key": "request-for-support", "type": "clause", "offset": [5802, 5821]}, {"key": "action-required", "type": "definition", "offset": [5838, 5853]}, {"key": "in-a-timely-manner", "type": "definition", "offset": [6057, 6075]}], "snippet": "(A) To the extent that the Supplier Processes Personal Data under this Agreement as a Processor on behalf of the Client (as the Controller), then the Supplier shall:\n(1) only Process the Personal Data for and on behalf of the Client for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement and any documented instructions from the Client;\n(2) keep a record of any Processing of the Personal Data it carries out on behalf of the Client;\n(3) unless prohibited by law, notify the Client immediately (and in any event within 24 hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by law to act other than in accordance with the instructions of the Client, including where it believes that any of the Client\u2019s instructions under paragraph 14.7(A)(1) infringe any Data Protection Legislation.\n(4) procure that appropriate technical and organisational measures are taken against unauthorised or unlawful Processing of such Personal Data and against accidental loss or destruction of, or damage to, such Personal Data, taking into account the nature of the Personal Data and which are at least sufficient to comply with the obligations imposed on the Client by the Security Requirements under Data Protection Legislation. Where requested by the Client, the Supplier shall provide to the Client evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request;\n(5) ensure that all such Personal Data shall be collected, processed and used fairly and lawfully and in accordance with Data Protection Legislation;\n(6) operate adequate security procedures, processes and systems to ensure that unauthorised persons do not have access to any equipment used to Process such Personal Data or to the Personal Data itself where possible access to Personal Data is restricted to the Account Manager for the Client;\n(7) ensure that any and all use of such Personal Data for marketing purposes shall comply with Data Protection Legislation and, with the provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003;\n(8) ensure that such Personal Data is not transferred to a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 45\n(1) of the GDPR (as applicable) except with the prior written consent of the Client and in any event in accordance with Data Protection Legislation;\n(9) notify the Client promptly (and in any event within 48 hours) following its receipt of any Data Subject Access Request or ICO Correspondence and shall: (i) not disclose any Personal Data in response to any Data Subject Access Request or ICO Correspondence without first consulting with and obtaining the Client\u2019s prior written consent; and (ii) render the Client will all such assistance as the Client may reasonably require to assist in relation to any such Data Subject Access Request or ICO Correspondence\n(10) ensure that any of its Personnel who shall have access to Personal Data shall have entered into appropriate contractually-binding confidentiality undertakings and shall comply with the provisions of this Clause as if they were a party to this Agreement;\n(11) within 30 calendar days of a request from the Client, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Client (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Clause 12, and provide reasonable information, assistance and co-operation to the Client, including access to relevant Personnel and/or, on the request of the Client, provide the Client with written evidence of its compliance with the requirements of this Clause 12;\n(12) not disclose Personal Data to a third party (including a sub-contractor) in any circumstances without the Client's prior written consent, save in relation to Third Party Requests where the Supplier is prohibited by law or regulation from notifying the Client, in which case it shall use reasonable endeavours to advise the Client in advance of such disclosure and in any event as soon as practicable thereafter;\n(13) not sub-contract the performance of any of its obligations under this Agreement without the prior written consent of the Client;\n(14) promptly comply with any request from the Client to amend, transfer or delete any Personal Data. Notwithstanding the foregoing, except to the extent required by any applicable law, upon the earlier of:\n(a) termination or expiry of this Agreement; and/or\n(b) the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Services, the Supplier shall cease Processing of all Personal Data and return and/or permanently and securely destroy the same so that it is no longer retrievable (as directed in writing by the Client), along with all copies in its possession or control;\n(15) notify the Client promptly (and in any event within 24 hours) upon becoming aware of any actual or suspected, threatened or \u2018near miss\u2019 Personal Data Breach in relation to the Personal Data (and follow-up in writing) and shall:\n(a) conduct or support the Supplier in conducting such investigations and analysis that the Supplier reasonably requires in respect of such Personal Data Breach;\n(b) implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and\n(c) assist the Client to make any notifications to the ICO and affected Data Subjects;\n(16) comply with the obligations imposed upon a Processor under Data Protection Legislation;\n(17) respond to any request for support, information or action required by the Client within such timescales as notified to it by the Client and where no such timescale is provided respond promptly to ensure that the Client meets its duties under Data Protection Legislation in a timely manner.", "samples": [{"hash": "d8kG05U9VcG", "uri": "/contracts/d8kG05U9VcG#data-processor-obligations", "label": "End User Licence Agreement", "score": 30.0945777893, "published": true}, {"hash": "8pZ32WrO0Xm", "uri": "/contracts/8pZ32WrO0Xm#data-processor-obligations", "label": "Service Agreement", "score": 23.1834354401, "published": true}, {"hash": "3pIB4WwEqHd", "uri": "/contracts/3pIB4WwEqHd#data-processor-obligations", "label": "Service Agreement", "score": 22.8466796875, "published": true}], "size": 5, "hash": "8d7f98cc075871f31c050e24fb1c7c87", "id": 4}, {"snippet_links": [{"key": "in-relation-to", "type": "clause", "offset": [15, 29]}, {"key": "data-processed-by-you", "type": "clause", "offset": [43, 64]}, {"key": "in-connection-with", "type": "clause", "offset": [65, 83]}, {"key": "provision-of-the-goods", "type": "clause", "offset": [88, 110]}, {"key": "principal-agreement", "type": "clause", "offset": [138, 157]}, {"key": "written-instructions", "type": "definition", "offset": [202, 222]}, {"key": "required-by", "type": "definition", "offset": [238, 249]}, {"key": "the-laws", "type": "definition", "offset": [250, 258]}, {"key": "the-european-union", "type": "clause", "offset": [276, 294]}, {"key": "applicable-to", "type": "definition", "offset": [332, 345]}, {"key": "process-personal-data", "type": "definition", "offset": [353, 374]}, {"key": "applicable-data-laws", "type": "definition", "offset": [377, 397]}, {"key": "a-member-of-the", "type": "clause", "offset": [438, 453]}, {"key": "european-union-law", "type": "clause", "offset": [472, 490]}, {"key": "the-basis", "type": "clause", "offset": [494, 503]}, {"key": "processing-personal-data", "type": "clause", "offset": [508, 532]}, {"key": "notify-us-of", "type": "clause", "offset": [571, 583]}, {"key": "the-processing", "type": "clause", "offset": [607, 621]}, {"key": "the-applicable", "type": "clause", "offset": [634, 648]}, {"key": "other-applicable-laws", "type": "clause", "offset": [697, 718]}, {"key": "notifying-us", "type": "clause", "offset": [741, 753]}, {"key": "all-personnel", "type": "clause", "offset": [775, 788]}, {"key": "the-personal-data", "type": "definition", "offset": [858, 875]}, {"key": "your-personnel", "type": "clause", "offset": [903, 917]}, {"key": "access-to-the", "type": "clause", "offset": [955, 968]}, {"key": "for-the-purpose", "type": "clause", "offset": [983, 998]}, {"key": "to-register", "type": "clause", "offset": [1062, 1073]}, {"key": "data-protection-commissioner", "type": "definition", "offset": [1097, 1125]}, {"key": "duration-of-this", "type": "clause", "offset": [1175, 1191]}, {"key": "data-processing-agreement", "type": "clause", "offset": [1192, 1217]}], "snippet": "3.1 You shall, in relation to any Personal Data processed by You in connection with the provision of the Goods and/ or Services under the Principal Agreement:\n(a) process that Personal Data only on Our written instructions unless You are required by the laws of any member of the European Union or by the laws of the European Union applicable to You to process Personal Data (\u201cApplicable Data Laws\u201d);\n(b) where You are relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data under sub- clause (a) above, promptly notify Us of this before performing the processing required by the Applicable Data Laws unless those Applicable Data Laws (or other applicable laws) prohibit You from so notifying Us; and\n(c) ensure that all personnel who have access to and/ or process Personal Data are obliged to keep the Personal Data confidential. Only such of Your personnel who are necessarily required to have access to the Personal Data for the Purpose shall have access to the Personal Data.\n3.2 If We are required to register with the Office of the Data Protection Commissioner, You must also register with that Office for the duration of this Data Processing Agreement.", "samples": [{"hash": "a4jmfJwIInz", "uri": "/contracts/a4jmfJwIInz#data-processor-obligations", "label": "Data Processing Agreement", "score": 25.1355228424, "published": true}], "size": 4, "hash": "84e5398672bfa06e31a53faa43f8d22e", "id": 5}, {"snippet_links": [{"key": "the-contractor-shall", "type": "clause", "offset": [0, 20]}, {"key": "contract-workers", "type": "clause", "offset": [48, 64]}], "snippet": "The Contractor shall (and shall ensure that its Contract Workers and agents shall):", "samples": [{"hash": "cKcHLCeX2zb", "uri": "/contracts/cKcHLCeX2zb#data-processor-obligations", "label": "Supply of Goods and Services Agreement", "score": 28.2057666779, "published": true}, {"hash": "a33puv8jD5w", "uri": "/contracts/a33puv8jD5w#data-processor-obligations", "label": "Supply of Goods and Services Agreement", "score": 27.8663330078, "published": true}, {"hash": "jdYX7YcKYhF", "uri": "/contracts/jdYX7YcKYhF#data-processor-obligations", "label": "Supply of Goods and Services Agreement", "score": 23.2614650726, "published": true}], "size": 3, "hash": "d8eb37c220e848083c0a83d0b9f62c3a", "id": 6}, {"snippet_links": [{"key": "notwithstanding-clause", "type": "clause", "offset": [0, 22]}, {"key": "to-the-extent", "type": "clause", "offset": [28, 41]}, {"key": "receiving-institution", "type": "clause", "offset": [51, 72]}, {"key": "for-and-on-behalf-of", "type": "clause", "offset": [103, 123]}, {"key": "in-relation-to", "type": "clause", "offset": [151, 165]}, {"key": "in-connection-with", "type": "clause", "offset": [177, 195]}, {"key": "in-addition-to", "type": "clause", "offset": [209, 223]}, {"key": "set-out", "type": "definition", "offset": [240, 247]}, {"key": "in-clauses", "type": "clause", "offset": [248, 258]}, {"key": "the-obligations", "type": "clause", "offset": [305, 320]}, {"key": "seventh-data-protection-principle", "type": "definition", "offset": [366, 399]}, {"key": "technical-and-organisational-security-measures", "type": "clause", "offset": [418, 464]}, {"key": "reasonable-steps", "type": "definition", "offset": [595, 611]}, {"key": "to-ensure", "type": "clause", "offset": [612, 621]}, {"key": "personnel-of-the-data-processor", "type": "clause", "offset": [645, 676]}, {"key": "access-to", "type": "definition", "offset": [686, 695]}, {"key": "for-the-purpose-of", "type": "definition", "offset": [784, 802]}, {"key": "obligations-under-this-agreement", "type": "clause", "offset": [818, 850]}, {"key": "purpose-and", "type": "clause", "offset": [870, 881]}, {"key": "in-accordance-with", "type": "definition", "offset": [882, 900]}, {"key": "terms-of-this-agreement", "type": "clause", "offset": [905, 928]}, {"key": "where-necessary", "type": "definition", "offset": [934, 949]}, {"key": "on-instructions", "type": "clause", "offset": [955, 970]}, {"key": "compliance-with-the", "type": "clause", "offset": [1013, 1032]}, {"key": "data-protection-laws", "type": "definition", "offset": [1033, 1053]}, {"key": "representatives-of-the", "type": "clause", "offset": [1066, 1088]}, {"key": "the-requirements", "type": "clause", "offset": [1165, 1181]}, {"key": "clause-9", "type": "clause", "offset": [1190, 1198]}, {"key": "reasonable-notice", "type": "clause", "offset": [1202, 1219]}, {"key": "the-option", "type": "clause", "offset": [1231, 1241]}, {"key": "on-request", "type": "clause", "offset": [1272, 1282]}, {"key": "provide-the", "type": "clause", "offset": [1286, 1297]}, {"key": "evidence-of", "type": "definition", "offset": [1326, 1337]}], "snippet": "Notwithstanding clause 6.1, to the extent that the Receiving Institution is acting as a Data Processor for and on behalf of the Disclosing Institution in relation to Processing in connection with the Purpose, in addition to its obligations set out in clauses 8.1.2 to 8.1.7 inclusive, it will comply with the obligations imposed on the Disclosing Institution by the Seventh Data Protection Principle, namely: maintain technical and organisational security measures sufficient to comply with the obligations imposed on the Disclosing Institution by the Seventh Data Protection Principle and take reasonable steps to ensure the reliability of any personnel of the Data Processor who have access to Speaker Data; only process Speaker Data for and on behalf of the Disclosing Institution for the purpose of performing its obligations under this Agreement in relation to the Purpose and in accordance with the terms of this Agreement (and where necessary only on instructions from the Disclosing Institution to ensure compliance with the Data Protection Laws); and allow representatives of the Disclosing Institution to audit the Receiving Institution's compliance with the requirements of this clause 9 on reasonable notice and/or, at the option of the Disclosing Institution on request to provide the Disclosing Institution with evidence of its compliance with such requirements.", "samples": [{"hash": "eJVrdLc2cHP", "uri": "/contracts/eJVrdLc2cHP#data-processor-obligations", "label": "Data Sharing Agreement", "score": 25.8062973022, "published": true}, {"hash": "7Wo7XF5AdHt", "uri": "/contracts/7Wo7XF5AdHt#data-processor-obligations", "label": "Data Sharing Agreement", "score": 25.7624912262, "published": true}], "size": 2, "hash": "703e61cebe3b95c0a8d308c2c5d12710", "id": 7}, {"snippet_links": [{"key": "the-parties-acknowledge", "type": "clause", "offset": [0, 23]}, {"key": "participant-processes", "type": "definition", "offset": [65, 86]}, {"key": "the-data", "type": "clause", "offset": [87, 95]}, {"key": "the-purpose", "type": "clause", "offset": [108, 119]}, {"key": "participant-will", "type": "clause", "offset": [137, 153]}, {"key": "the-controller", "type": "clause", "offset": [196, 210]}, {"key": "mhhs-implementation-manager", "type": "definition", "offset": [247, 274]}, {"key": "participant-shall", "type": "definition", "offset": [315, 332]}, {"key": "comply-with-the", "type": "clause", "offset": [333, 348]}, {"key": "annex-1", "type": "definition", "offset": [363, 370]}, {"key": "in-clause", "type": "clause", "offset": [441, 450]}, {"key": "agrees-to", "type": "clause", "offset": [475, 484]}, {"key": "the-provisions-of", "type": "clause", "offset": [485, 502]}], "snippet": "The Parties acknowledge that, where as part of SIT, the Industry Participant Processes the Data pursuant to the Purpose:\na) the Industry Participant will be Processing the Data as a Processor;\nb) the Controller shall be Elexon (in its capacity as MHHS Implementation Manager as defined in the BSC);\nc) the Industry Participant shall comply with the provisions in Annex 1;\nd) the Industry Participant, in its capacity as Controller described in Clause 3.2 above, consents and agrees to the provisions of Annex 1.", "samples": [{"hash": "9PWlCpW6cKm", "uri": "/contracts/9PWlCpW6cKm#data-processor-obligations", "label": "Data Sharing Agreement", "score": 34.3226127625, "published": true}, {"hash": "diTvCxZUkaJ", "uri": "/contracts/diTvCxZUkaJ#data-processor-obligations", "label": "Data Sharing Agreement", "score": 34.2266273499, "published": true}], "size": 2, "hash": "fc8180f34394d26bd997f958c9128a83", "id": 8}, {"snippet_links": [], "snippet": "NAIZ FIT and all its personnel are obliged to:", "samples": [{"hash": "l4tafej8YYS", "uri": "/contracts/l4tafej8YYS#data-processor-obligations", "label": "General Terms and Conditions", "score": 25.1861743927, "published": true}, {"hash": "6OWJIS5Vzyq", "uri": "/contracts/6OWJIS5Vzyq#data-processor-obligations", "label": "General Terms and Conditions", "score": 24.8699512482, "published": true}], "size": 2, "hash": "ab7f9e21fd65f8748ab54236c66dae38", "id": 9}, {"snippet_links": [{"key": "in-relation-to", "type": "clause", "offset": [5, 19]}, {"key": "personal-data-processed", "type": "clause", "offset": [24, 47]}, {"key": "by-or-on-behalf-of", "type": "definition", "offset": [48, 66]}, {"key": "global-services", "type": "clause", "offset": [98, 113]}, {"key": "provide-the", "type": "clause", "offset": [176, 187]}, {"key": "services-and", "type": "clause", "offset": [195, 207]}, {"key": "in-accordance-with-the-agreement", "type": "definition", "offset": [223, 255]}, {"key": "this-addendum", "type": "definition", "offset": [257, 270]}, {"key": "processing-instructions", "type": "definition", "offset": [310, 333]}, {"key": "further-defined", "type": "clause", "offset": [349, 364]}, {"key": "exhibit-a", "type": "clause", "offset": [368, 377]}, {"key": "in-the-event", "type": "clause", "offset": [380, 392]}, {"key": "data-protection-laws", "type": "definition", "offset": [398, 418]}, {"key": "process-personal-data", "type": "definition", "offset": [437, 458]}, {"key": "pursuant-to", "type": "clause", "offset": [470, 481]}, {"key": "public-interest", "type": "clause", "offset": [656, 671]}, {"key": "the-nature", "type": "clause", "offset": [835, 845]}, {"key": "associated-with", "type": "definition", "offset": [859, 874]}, {"key": "data-collected", "type": "clause", "offset": [896, 910]}, {"key": "in-connection-with", "type": "clause", "offset": [919, 937]}, {"key": "appropriate-technical-and-organisational-measures", "type": "clause", "offset": [982, 1031]}, {"key": "processing-of-personal-data-by", "type": "clause", "offset": [1051, 1081]}, {"key": "the-requirements", "type": "clause", "offset": [1129, 1145]}, {"key": "the-rights-of-data-subjects", "type": "clause", "offset": [1199, 1226]}, {"key": "to-ensure", "type": "clause", "offset": [1239, 1248]}, {"key": "in-respect-of", "type": "clause", "offset": [1269, 1282]}, {"key": "the-risks", "type": "clause", "offset": [1331, 1340]}, {"key": "presented-by", "type": "definition", "offset": [1350, 1362]}, {"key": "in-particular", "type": "clause", "offset": [1379, 1392]}, {"key": "disclosure-of", "type": "clause", "offset": [1465, 1478]}, {"key": "access-to-personal-data", "type": "clause", "offset": [1483, 1506]}, {"key": "without-prejudice-to-clause", "type": "clause", "offset": [1561, 1588]}, {"key": "to-assist", "type": "clause", "offset": [1621, 1630]}, {"key": "respond-to", "type": "clause", "offset": [1691, 1701]}, {"key": "data-subject-requests", "type": "definition", "offset": [1702, 1723]}, {"key": "relating-to", "type": "definition", "offset": [1724, 1735]}, {"key": "prior-written-consent", "type": "clause", "offset": [1836, 1857]}, {"key": "the-performance", "type": "clause", "offset": [1910, 1925]}, {"key": "without-prejudice-to-any", "type": "clause", "offset": [1964, 1988]}, {"key": "other-provision", "type": "clause", "offset": [1989, 2004]}, {"key": "processing-personal-data", "type": "clause", "offset": [2052, 2076]}, {"key": "compliance-with", "type": "clause", "offset": [2129, 2144]}, {"key": "the-data", "type": "clause", "offset": [2163, 2171]}, {"key": "applicable-to", "type": "definition", "offset": [2188, 2201]}, {"key": "subject-to", "type": "definition", "offset": [2303, 2313]}, {"key": "contractual-obligation", "type": "definition", "offset": [2332, 2354]}, {"key": "in-accordance-with-law", "type": "clause", "offset": [2443, 2465]}, {"key": "where-practicable", "type": "definition", "offset": [2495, 2512]}, {"key": "prohibited-by-law", "type": "clause", "offset": [2521, 2538]}, {"key": "such-information", "type": "definition", "offset": [2619, 2635]}, {"key": "other-assistance", "type": "clause", "offset": [2654, 2670]}, {"key": "nature-of-processing", "type": "clause", "offset": [2719, 2739]}, {"key": "available-to", "type": "definition", "offset": [2760, 2772]}, {"key": "ensuring-compliance", "type": "clause", "offset": [2798, 2817]}, {"key": "with-respect-to", "type": "clause", "offset": [2886, 2901]}, {"key": "security-of-processing", "type": "clause", "offset": [2907, 2929]}, {"key": "impact-assessments", "type": "clause", "offset": [2941, 2959]}, {"key": "remedial-action", "type": "definition", "offset": [3009, 3024]}, {"key": "personal-data-breach", "type": "definition", "offset": [3077, 3097]}, {"key": "each-case", "type": "definition", "offset": [3138, 3147]}, {"key": "notification-of", "type": "clause", "offset": [3207, 3222]}, {"key": "supervisory-authorities", "type": "clause", "offset": [3251, 3274]}, {"key": "communication-to", "type": "clause", "offset": [3282, 3298]}, {"key": "requests-from-data-subjects", "type": "clause", "offset": [3346, 3373]}, {"key": "requests-for", "type": "clause", "offset": [3403, 3415]}, {"key": "other-requests", "type": "clause", "offset": [3441, 3455]}, {"key": "information-and-cooperation", "type": "clause", "offset": [3587, 3614]}, {"key": "prior-written-approval", "type": "clause", "offset": [3816, 3838]}, {"key": "without-undue-delay", "type": "definition", "offset": [3936, 3955]}, {"key": "nature-and-cause", "type": "clause", "offset": [4075, 4091]}, {"key": "data-records", "type": "clause", "offset": [4218, 4230]}, {"key": "consequences-of", "type": "definition", "offset": [4313, 4328]}, {"key": "recipients-of-the-personal-data", "type": "clause", "offset": [4375, 4406]}, {"key": "to-mitigate", "type": "definition", "offset": [4512, 4523]}, {"key": "adverse-effects", "type": "definition", "offset": [4537, 4552]}], "snippet": "3.1. In relation to any Personal Data processed by or on behalf of Global in the provision of the Global Services, Global shall:\n(a) only process the Personal Data in order to provide the Global Services and shall act only in accordance with the Agreement, this Addendum and on the instruction of Advertiser (\"Processing Instructions\" and as may be further defined in Exhibit A). In the event that Data Protection Laws require Global to process Personal Data other than pursuant to Advertiser's instruction, Global will notify Advertiser before processing such Personal Data (unless prohibited from so doing by Data Protection Laws on important grounds of public interest);\n(b) as soon as reasonably practicable inform Advertiser if, in its opinion, an instruction of Advertiser infringes Data Protection Laws;\n(c) taking into account the nature of and risks associated with the type of Personal Data collected or used in connection with the Global Services, implement and maintain appropriate technical and organisational measures in relation to the processing of Personal Data by Global:\n(i) such that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects;\n(ii) so as to ensure a level of security in respect of Personal Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed; and\n(iii) without prejudice to clause 3.1(h), insofar as is possible, to assist Advertiser in the fulfilment of Advertiser's obligations to respond to Data Subject Requests relating to Personal Data.\n(d) not engage Sub-Processors in respect of the Global Services without Advertiser's prior written consent. Global shall remain fully liable to Advertiser for the performance of a Sub-Processor's obligations;\n(e) without prejudice to any other provision of this Addendum, ensure that Global personnel processing Personal Data are reliable and have received adequate training on compliance with this Addendum and the Data Protection Laws applicable to the processing;\n(f) ensure that all Sub-Processors and Global personnel processing Personal Data are subject to a binding written contractual obligation with Global to keep the Personal Data confidential (except where disclosure is required in accordance with law, in which case Global shall, where practicable and not prohibited by law, notify Advertiser of any such requirement before such disclosure);\n(g) provide such information, co-operation and other assistance as Advertiser requires (taking into account the nature of processing and the information available to Global) to Advertiser in ensuring compliance with Advertiser's obligations under Data Protection Laws, including with respect to:\n(i) security of processing;\n(ii) data impact assessments (as defined by Data Protection Laws);\n(iii) (any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to Advertiser's prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.\n(h) In relation to requests from Data Subjects:\n(iv) refer all Data Subject requests for notification, erasure or other requests under Data Protection Laws (\"Data Subject Requests\") it receives to Advertiser as soon as reasonably practicable;\n(v) provide such information and cooperation and take such action as Advertiser requests in relation to a Data Subject Request, as soon as reasonably practicable; and\n(vi) not respond to any Data Subject Request or Complaint without Advertiser's prior written approval.\n(i) In respect of any Personal Data Breach:\n(vii) notify Advertiser of the Personal Data Breach without undue delay;\n(viii) provide Advertiser without undue delay with such details as Advertiser reasonably requires regarding:\n(ix) the nature and cause or possible cause of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data records concerned;\n(x) any investigations into such Personal Data Breach;\n(xi) the likely consequences of the Personal Data Breach and the unauthorised recipients of the Personal Data; and\n(xii) any measures taken, or that Global recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects.", "samples": [{"hash": "sAodcSYtd", "uri": "/contracts/sAodcSYtd#data-processor-obligations", "label": "Data Processing Addendum", "score": 31.0827407837, "published": true}], "size": 2, "hash": "ff5c9985afe4126efd48744cdbac93d8", "id": 10}], "next_curs": "CmMSXWoVc35sYXdpbnNpZGVyY29udHJhY3Rzcj8LEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IiNkYXRhLXByb2Nlc3Nvci1vYmxpZ2F0aW9ucyMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"title": "Data Processor Obligations", "children": [["data-security", "Data Security"], ["data-breach-notification", "Data Breach Notification"], ["data-rights-compliance", "Data Rights Compliance"], ["audits-and-inspections", "Audits and Inspections"], ["", ""]], "parents": [["data-protection", "Data Protection"], ["training", "Training"], ["data-protection-security-and-integrity", "Data Protection, Security and Integrity"], ["e-learning", "E-LEARNING"], ["governing-law-dispute-resolution", "Governing Law & Dispute Resolution"]], "size": 75, "id": "data-processor-obligations", "related": [["processor-obligations", "Processor Obligations", "Processor Obligations"], ["contractor-obligations", "Contractor Obligations", "Contractor Obligations"], ["customer-obligations", "Customer Obligations", "Customer Obligations"], ["supplier-obligations", "Supplier Obligations", "Supplier Obligations"], ["contractor-obligation", "CONTRACTOR OBLIGATION", "CONTRACTOR OBLIGATION"]], "related_snippets": [], "updated": "2025-07-23T06:00:56+00:00", "also_ask": [], "drafting_tip": "", "explanation": "The Data Processor Obligations clause defines the responsibilities and duties of a party that processes personal data on behalf of another entity, typically the data controller. This clause outlines requirements such as following the controller\u2019s instructions, implementing appropriate security measures, and assisting with data subject rights requests. Its core function is to ensure that personal data is handled in compliance with applicable data protection laws, thereby protecting individuals\u2019 privacy and reducing the risk of unauthorized data use or breaches."}, "json": true, "cursor": ""}}