{"component": "clause", "props": {"groups": [{"size": 10, "snippet_links": [{"key": "the-parties-agree-that", "type": "clause", "offset": [4, 26]}, {"key": "the-subject", "type": "clause", "offset": [27, 38]}, {"key": "duration-of-processing", "type": "definition", "offset": [50, 72]}, {"key": "performed-by", "type": "clause", "offset": [73, 85]}, {"key": "data-processor", "type": "clause", "offset": [90, 104]}, {"key": "processing-agreement", "type": "definition", "offset": [116, 136]}, {"key": "the-purchase-agreement", "type": "clause", "offset": [141, 163]}, {"key": "nature-and-purpose-of-processing", "type": "clause", "offset": [179, 211]}, {"key": "type-of-personal-data", "type": "definition", "offset": [217, 238]}, {"key": "categories-of-data-subjects", "type": "clause", "offset": [244, 271]}, {"key": "the-data-controller", "type": "definition", "offset": [369, 388]}, {"key": "the-obligations", "type": "clause", "offset": [452, 467]}, {"key": "gdpr-articles", "type": "clause", "offset": [490, 503]}, {"key": "process-personal-data", "type": "definition", "offset": [577, 598]}, {"key": "in-accordance-with", "type": "definition", "offset": [599, 617]}, {"key": "management-of-the", "type": "clause", "offset": [730, 747]}, {"key": "an-appropriate", "type": "clause", "offset": [937, 951]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [962, 991]}, {"key": "measures-to", "type": "clause", "offset": [1127, 1138]}, {"key": "accidental-loss", "type": "definition", "offset": [1242, 1257]}, {"key": "unauthorized-disclosure", "type": "definition", "offset": [1271, 1294]}, {"key": "data-security-breach", "type": "clause", "offset": [1306, 1326]}, {"key": "provided-that", "type": "clause", "offset": [1329, 1342]}, {"key": "take-into-account", "type": "definition", "offset": [1363, 1380]}, {"key": "state-of-the-art", "type": "clause", "offset": [1385, 1401]}, {"key": "costs-of", "type": "definition", "offset": [1407, 1415]}, {"key": "purposes-of-processing", "type": "clause", "offset": [1466, 1488]}, {"key": "rights-and-freedoms", "type": "clause", "offset": [1553, 1572]}, {"key": "natural-persons", "type": "clause", "offset": [1576, 1591]}, {"key": "to-ensure", "type": "clause", "offset": [1599, 1608]}, {"key": "the-risks", "type": "clause", "offset": [1644, 1653]}, {"key": "represented-by", "type": "clause", "offset": [1654, 1668]}, {"key": "the-personal-data", "type": "definition", "offset": [1702, 1719]}, {"key": "be-protected", "type": "clause", "offset": [1723, 1735]}, {"key": "consistent-with-the", "type": "clause", "offset": [1761, 1780]}, {"key": "data-security-standards", "type": "definition", "offset": [1789, 1812]}, {"key": "notify-the", "type": "clause", "offset": [1843, 1853]}, {"key": "without-undue-delay", "type": "definition", "offset": [1909, 1928]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [1963, 1980]}, {"key": "services-data", "type": "clause", "offset": [2044, 2057]}, {"key": "cooperate-with", "type": "clause", "offset": [2065, 2079]}, {"key": "to-mitigate", "type": "definition", "offset": [2113, 2124]}, {"key": "reasonable-steps", "type": "definition", "offset": [2260, 2276]}, {"key": "to-assist", "type": "clause", "offset": [2316, 2325]}, {"key": "the-investigation", "type": "clause", "offset": [2329, 2346]}, {"key": "the-requirements", "type": "clause", "offset": [2461, 2477]}, {"key": "clause-5", "type": "definition", "offset": [2481, 2489]}, {"key": "nature-of-the-processing", "type": "clause", "offset": [2549, 2573]}, {"key": "assist-the", "type": "clause", "offset": [2600, 2610]}, {"key": "respond-to", "type": "clause", "offset": [2777, 2787]}, {"key": "requests-from-data-subjects", "type": "clause", "offset": [2788, 2815]}, {"key": "to-exercise", "type": "clause", "offset": [2816, 2827]}, {"key": "data-subject-request", "type": "definition", "offset": [2856, 2876]}, {"key": "in-the-event-the", "type": "clause", "offset": [2880, 2896]}, {"key": "prohibited-by-law", "type": "clause", "offset": [2991, 3008]}, {"key": "subject-to-the", "type": "definition", "offset": [3026, 3040]}, {"key": "available-to", "type": "definition", "offset": [3216, 3228]}, {"key": "written-request", "type": "definition", "offset": [3302, 3317]}, {"key": "reasonable-expense", "type": "definition", "offset": [3407, 3425]}, {"key": "prior-to-the", "type": "clause", "offset": [3434, 3446]}, {"key": "as-required", "type": "clause", "offset": [3537, 3548]}, {"key": "upon-request", "type": "definition", "offset": [3565, 3577]}, {"key": "provide-the", "type": "clause", "offset": [3604, 3615]}, {"key": "information-and-assistance", "type": "clause", "offset": [3661, 3687]}, {"key": "data-protection-impact-assessment", "type": "definition", "offset": [3834, 3867]}, {"key": "supervisory-authority", "type": "clause", "offset": [3871, 3892]}, {"key": "upon-termination-of-the", "type": "clause", "offset": [3948, 3971]}, {"key": "access-to-and-use-of-the-services", "type": "clause", "offset": [3990, 4023]}, {"key": "clause-9", "type": "clause", "offset": [4082, 4090]}, {"key": "clause-6", "type": "definition", "offset": [4153, 4161]}, {"key": "make-available", "type": "definition", "offset": [4165, 4179]}, {"key": "compliance-with", "type": "clause", "offset": [4254, 4269]}, {"key": "security-officer", "type": "clause", "offset": [4340, 4356]}, {"key": "point-of-contact", "type": "clause", "offset": [4375, 4391]}, {"key": "processing-instructions", "type": "definition", "offset": [4597, 4620]}, {"key": "law-or-regulation", "type": "definition", "offset": [4634, 4651]}, {"key": "processing-of-personal-data", "type": "clause", "offset": [4709, 4736]}, {"key": "to-be-in-violation", "type": "definition", "offset": [4754, 4772]}], "samples": [{"hash": "1SUgdPobiCi", "uri": "/contracts/1SUgdPobiCi#data-processors-obligations", "label": "Data Processing Agreement", "score": 31.3515453339, "published": true}, {"hash": "3VDKRyTqfru", "uri": "/contracts/3VDKRyTqfru#data-processors-obligations", "label": "Data Processing Agreement", "score": 30.0425415039, "published": true}], "snippet": "4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A.\n4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows:\n(a) The Data Processor shall process Personal Data in accordance with the instructions set forth in this Processing Agreement;\n(b) the Data Processor shall ensure that all staff and management of the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b);\n(c) the Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Humly\u2019s Data Security Standards;\n(d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller\u2019s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR;\n(e) the Data Processor shall comply with the requirements of Clause 5 when engaging a Sub-Processor;\n(f) taking into account the nature of the Processing, the Data Processor shall assist the Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller\u2019s obligation to respond to requests from Data Subjects to exercise their rights under GDPR (a \u201cData Subject Request\u201d). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller. However, in the event the Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to the Data Controller, the Data Processor, shall, on the Data Controller\u2019s written request and the Data Controller\u2019s instruction to the Data Processor, and at the Data Processor\u2019s reasonable expense (scoped prior to the Data Processor\u2019s response to the Data Subject Request), address the Data Subject Request, as required under GDPR;\n(g) upon request, the Data Processor shall provide the Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor, to help the Data Controller to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under GDPR;\n(h) upon termination of the Data Controller\u2019s access to and use of the Services, the Data Processor shall comply with the requirements of Clause 9;\n(i) the Data Processor shall comply with the requirements of Clause 6 to make available to the Data Controller information that demonstrates the Data Processor\u2019s compliance with this Processing Agreement; and\n(j) the Data Processor shall appoint a security officer who will act as a point of contact for the Data Controller, and coordinate and control compliance with this Processing Agreement.\n4.3 The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Controller\u2019s processing instructions infringe any law or regulation. In such event, the Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.", "hash": "e4932fc38fdd423a6e704e4d1d4770c6", "id": 1}, {"size": 6, "snippet_links": [{"key": "the-data-controller", "type": "definition", "offset": [5, 24]}, {"key": "purposes-of-processing", "type": "clause", "offset": [40, 62]}, {"key": "provision-of-the-service", "type": "clause", "offset": [92, 116]}, {"key": "in-relation-to", "type": "clause", "offset": [123, 137]}, {"key": "data-processor", "type": "clause", "offset": [172, 186]}, {"key": "adhere-to", "type": "clause", "offset": [201, 210]}, {"key": "the-client", "type": "definition", "offset": [329, 339]}, {"key": "provide-the", "type": "clause", "offset": [375, 386]}, {"key": "subject-to-the", "type": "definition", "offset": [396, 410]}, {"key": "written-instructions", "type": "definition", "offset": [429, 449]}, {"key": "in-case", "type": "clause", "offset": [521, 528]}, {"key": "applicable-data-protection-laws", "type": "clause", "offset": [592, 623]}, {"key": "in-no-case", "type": "clause", "offset": [625, 635]}, {"key": "the-obligation", "type": "clause", "offset": [664, 678]}, {"key": "with-respect-to", "type": "clause", "offset": [727, 742]}, {"key": "without-undue-delay", "type": "definition", "offset": [834, 853]}, {"key": "contact-or-communication", "type": "definition", "offset": [861, 885]}, {"key": "supervisory-authority", "type": "clause", "offset": [905, 926]}, {"key": "processing-of-client-personal-data", "type": "clause", "offset": [946, 980]}, {"key": "the-parties-acknowledge-and-agree-that", "type": "clause", "offset": [998, 1036]}, {"key": "responsibility-for", "type": "clause", "offset": [1041, 1059]}, {"key": "technical-and-organizational-measures", "type": "clause", "offset": [1197, 1234]}, {"key": "annex-2", "type": "definition", "offset": [1262, 1269]}, {"key": "aimed-at", "type": "definition", "offset": [1278, 1286]}, {"key": "adequate-alternative-measures", "type": "clause", "offset": [1419, 1448]}, {"key": "alternative-locations", "type": "clause", "offset": [1456, 1477]}, {"key": "security-level", "type": "clause", "offset": [1493, 1507]}, {"key": "performance-of-the-service", "type": "clause", "offset": [1728, 1754]}, {"key": "an-appropriate", "type": "clause", "offset": [1851, 1865]}, {"key": "obligation-of-confidentiality", "type": "clause", "offset": [1876, 1905]}], "samples": [{"hash": "kHJdEt2Gb2J", "uri": "/contracts/kHJdEt2Gb2J#data-processors-obligations", "label": "Personal Data Processing Agreement", "score": 29.4047336578, "published": true}, {"hash": "c3qtLZ8HSQ2", "uri": "/contracts/c3qtLZ8HSQ2#data-processors-obligations", "label": "Personal Data Processing Agreement", "score": 29.4047336578, "published": true}, {"hash": "2l6mDZpYH94", "uri": "/contracts/2l6mDZpYH94#data-processors-obligations", "label": "Personal Data Processing Agreement", "score": 29.4047336578, "published": true}], "snippet": "3.1. The Data Controller determines the purposes of Processing Client Personal Data for the provision of the Service.\n3.2. In relation to the provision of the Service, the Data Processor undertakes to adhere to the following obligations including those defined in Annexes 1 and 2 attached hereto:\na) The Data Processor Processes the Client Personal Data only as necessary to provide the Service, subject to the Data Controller\u2019s written instructions in the present DPA;\nb) The Data Processor notifies the Data Controller in case it considers a Data Controller\u2019s written instruction to breach Applicable Data Protection Laws. In no case is the Data Processor under the obligation of performing a comprehensive legal examination with respect to a Client\u2019s written instruction;\nc) Register as Data Processor notifies the Data Controller without undue delay of any contact or communication it receives from a Supervisory Authority in relation to the Processing of Client Personal Data. In this regard, the Parties acknowledge and agree that the responsibility for replying to such requests rests on the Data Controller and not on the Data Processor;\nd) The Data Processor has implemented operational, technical and organizational measures, including as described in Annex 2 hereto, aimed at protecting the Client Personal Data. The Parties acknowledge and agree that the Data Processor is specifically allowed to implement adequate alternative measures or use alternative locations as long as the security level of the measures or of the locations is maintained or strengthened compared to the declared measures;\ne) In case the Data Processor discloses Client Personal Data to its personnel directly and exclusively involved in the performance of the Service, the Data Processor ensures that such personnel: i) is committed to confidentiality or is under an appropriate statutory obligation of confidentiality and;", "hash": "d4935cf7da228caa9514d14d2596b19a", "id": 2}, {"size": 4, "snippet_links": [{"key": "data-processor", "type": "clause", "offset": [8, 22]}, {"key": "the-personal-data", "type": "definition", "offset": [37, 54]}, {"key": "in-compliance-with", "type": "definition", "offset": [60, 78]}, {"key": "level-of-protection", "type": "definition", "offset": [118, 137]}, {"key": "resulting-from-the", "type": "clause", "offset": [138, 156]}, {"key": "data-privacy-regulations", "type": "definition", "offset": [157, 181]}, {"key": "in-force", "type": "definition", "offset": [187, 195]}, {"key": "purpose-of-processing", "type": "clause", "offset": [224, 245]}, {"key": "agreed-territory", "type": "definition", "offset": [267, 283]}, {"key": "agreed-retention-period", "type": "definition", "offset": [312, 335]}, {"key": "security-measures", "type": "definition", "offset": [403, 420]}, {"key": "the-risk", "type": "clause", "offset": [422, 430]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [488, 511]}, {"key": "processing-operations", "type": "clause", "offset": [526, 547]}, {"key": "reasonable-suspicion", "type": "definition", "offset": [668, 688]}, {"key": "personal-data-breach", "type": "definition", "offset": [692, 712]}, {"key": "in-accordance-with", "type": "definition", "offset": [721, 739]}, {"key": "section-12", "type": "definition", "offset": [740, 750]}, {"key": "cooperate-with", "type": "clause", "offset": [787, 801]}, {"key": "the-data-controller", "type": "definition", "offset": [802, 821]}, {"key": "to-exercise", "type": "clause", "offset": [915, 926]}, {"key": "granted-to", "type": "definition", "offset": [938, 948]}, {"key": "data-subject-rights", "type": "definition", "offset": [1027, 1046]}, {"key": "notify-the", "type": "clause", "offset": [1156, 1166]}, {"key": "data-subjects", "type": "definition", "offset": [1203, 1216]}, {"key": "respond-to", "type": "clause", "offset": [1271, 1281]}, {"key": "related-action", "type": "definition", "offset": [1317, 1331]}, {"key": "authorised-by", "type": "clause", "offset": [1339, 1352]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [1529, 1560]}], "samples": [{"hash": "caQl7IRKsA0", "uri": "/contracts/caQl7IRKsA0#data-processors-obligations", "label": "Esa Contract", "score": 30.2659893036, "published": true}, {"hash": "hem8Q1ac5D3", "uri": "/contracts/hem8Q1ac5D3#data-processors-obligations", "label": "Expro Service", "score": 25.4640655518, "published": true}], "snippet": "5.1 The Data Processor shall process the Personal Data:\n(i) in compliance with this PDP Annex and, generally, and the level of protection resulting from the Data Privacy Regulations then in force;\n(ii) solely for the Agreed Purpose of Processing;\n(iii) solely in the Agreed Territory;\n(iv) without exceeding the Agreed Retention period;\n(v) in such a way as to minimise, by means of suitable preventive security measures, the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, or Processing operations that are either unlawful or inconsistent with the Agreed Purpose.\n5.2 The Data Processor shall promptly investigate any reasonable suspicion of Personal Data Breach and act in accordance with Section 12 below.\n5.3 The Data Processor shall cooperate with the Data Controller to enable the latter to guarantee to every Data Subject or his/her delegates the possibility to exercise the rights granted to him/her by the Data Privacy Regulations. The Data Processor acknowledges that Data Subject rights shall be exercised only through the Data Controller. Therefore, the Data Processor undertakes to immediately notify the Data Controller of any request that Data Subjects, address directly to the Data Processor, and will not respond to any such request or take any other related action, until authorised by the Data Controller. 5.4 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes any provision on the Processing of Personal Data under the present Agreement.", "hash": "5420e0c4897e3959c91d82c689a663bc", "id": 3}, {"size": 3, "snippet_links": [{"key": "the-processor", "type": "definition", "offset": [5, 18]}, {"key": "documented-instructions", "type": "definition", "offset": [43, 66]}, {"key": "the-controller", "type": "clause", "offset": [99, 113]}, {"key": "or-personnel", "type": "definition", "offset": [138, 150]}, {"key": "with-respect-to", "type": "clause", "offset": [152, 167]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [168, 199]}, {"key": "in-the-agreement", "type": "clause", "offset": [256, 272]}, {"key": "data-processor", "type": "clause", "offset": [403, 417]}, {"key": "will-provide", "type": "clause", "offset": [418, 430]}, {"key": "assistance-to-the-data-controller", "type": "clause", "offset": [442, 475]}, {"key": "complying-with", "type": "clause", "offset": [494, 508]}, {"key": "data-subject", "type": "clause", "offset": [533, 545]}, {"key": "applicable-regulatory-authorities", "type": "definition", "offset": [583, 616]}, {"key": "in-relation-to", "type": "clause", "offset": [678, 692]}, {"key": "the-personal-data", "type": "definition", "offset": [693, 710]}, {"key": "where-necessary", "type": "definition", "offset": [749, 764]}, {"key": "notice-to-the", "type": "clause", "offset": [781, 794]}, {"key": "in-accordance-with", "type": "definition", "offset": [808, 826]}, {"key": "data-protection-laws", "type": "definition", "offset": [827, 847]}, {"key": "data-to-be-provided", "type": "clause", "offset": [874, 893]}, {"key": "other-party", "type": "definition", "offset": [915, 926]}, {"key": "contemplated-by-this-agreement", "type": "clause", "offset": [930, 960]}, {"key": "territorial-boundaries", "type": "definition", "offset": [1038, 1060]}, {"key": "the-transferor", "type": "clause", "offset": [1062, 1076]}, {"key": "the-recipient", "type": "definition", "offset": [1095, 1108]}, {"key": "contractual-obligations", "type": "definition", "offset": [1131, 1154]}, {"key": "this-addendum", "type": "definition", "offset": [1240, 1253]}, {"key": "applicable-legislation", "type": "clause", "offset": [1386, 1408]}, {"key": "nature-of-the-processing", "type": "clause", "offset": [1474, 1498]}, {"key": "available-to", "type": "definition", "offset": [1519, 1531]}, {"key": "assist-the", "type": "clause", "offset": [1577, 1587]}, {"key": "data-protection-impact-assessments", "type": "clause", "offset": [1632, 1666]}, {"key": "as-required", "type": "clause", "offset": [1676, 1687]}], "samples": [{"hash": "bF23SJOhR7R", "uri": "/contracts/bF23SJOhR7R#data-processors-obligations", "label": "Data Processing Agreement", "score": 35.7733306885, "published": true}, {"hash": "hI036gKuVXn", "uri": "/contracts/hI036gKuVXn#data-processors-obligations", "label": "Data Processing Agreement", "score": 35.525932312, "published": true}, {"hash": "dzKknKIWdQe", "uri": "/contracts/dzKknKIWdQe#data-processors-obligations", "label": "Data Processing Agreement", "score": 34.5409507751, "published": true}], "snippet": "7.1. The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data (each, an \u201cInstruction\u201d).\n7.2. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.\n7.3. At the Data Controller\u2019s request, the Data Processor will provide reasonable assistance to the Data Controller in responding to/ complying with requests/ directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding Data Processor\u2019s Processing of Personal Data.\n7.4. In relation to the Personal Data, Data Processor shall obtain consent (where necessary) and/or provide notice to the Data Subject in accordance with Data Protection Laws to enable shared Personal Data to be provided to, and used by, the other Party as contemplated by this Agreement.\n7.5. Where shared Personal Data is transferred outside the Data Processor\u2019s territorial boundaries, the transferor shall ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and the Data Protection Laws.\n7.6. The processor shall inform the controller if, in its opinion, a processing instruction infringes applicable legislation or regulation.\n7.7. As A Data Processor ,taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the data controller in conducting any necessary Data Protection Impact Assessments (DPIAs), as required under GDPR.", "hash": "3f2fd259b3358cc798b3a8f9049744ce", "id": 4}, {"size": 3, "snippet_links": [{"key": "data-processor", "type": "clause", "offset": [4, 18]}, {"key": "on-behalf-of", "type": "definition", "offset": [31, 43]}, {"key": "on-instructions", "type": "clause", "offset": [48, 63]}, {"key": "the-data-controller", "type": "definition", "offset": [69, 88]}, {"key": "in-connection-with", "type": "clause", "offset": [89, 107]}, {"key": "the-performance", "type": "clause", "offset": [108, 123]}, {"key": "project-tasks", "type": "definition", "offset": [138, 151]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [209, 240]}, {"key": "comply-with-the", "type": "clause", "offset": [290, 305]}, {"key": "data-protection-rules", "type": "definition", "offset": [306, 327]}, {"key": "process-personal-data", "type": "definition", "offset": [396, 417]}, {"key": "in-accordance-with", "type": "definition", "offset": [418, 436]}, {"key": "general-principles", "type": "definition", "offset": [441, 459]}, {"key": "the-general-data-protection-regulation", "type": "clause", "offset": [483, 521]}, {"key": "assist-the", "type": "clause", "offset": [523, 533]}, {"key": "complying-with", "type": "clause", "offset": [553, 567]}, {"key": "rights-of-the", "type": "clause", "offset": [587, 600]}, {"key": "record-of-processing-activities", "type": "clause", "offset": [628, 659]}, {"key": "upon-request", "type": "definition", "offset": [718, 730]}, {"key": "provide-the", "type": "clause", "offset": [756, 767]}, {"key": "sufficient-information", "type": "definition", "offset": [789, 811]}, {"key": "to-allow-the", "type": "clause", "offset": [812, 824]}, {"key": "to-ensure", "type": "clause", "offset": [841, 850]}, {"key": "technical-and-organisational-security-measures", "type": "clause", "offset": [868, 914]}, {"key": "where-the-personal", "type": "clause", "offset": [990, 1008]}, {"key": "access-to-the", "type": "clause", "offset": [1047, 1060]}, {"key": "required-by", "type": "definition", "offset": [1082, 1093]}, {"key": "only-persons", "type": "clause", "offset": [1151, 1163]}, {"key": "such-information", "type": "definition", "offset": [1184, 1200]}, {"key": "for-the-purpose-of", "type": "definition", "offset": [1201, 1219]}, {"key": "the-purpose-of-the-agreement", "type": "clause", "offset": [1231, 1259]}, {"key": "possession-of-the", "type": "clause", "offset": [1421, 1438]}, {"key": "for-purposes", "type": "definition", "offset": [1633, 1645]}, {"key": "contravention-of-this-agreement", "type": "clause", "offset": [1705, 1736]}, {"key": "an-independent", "type": "clause", "offset": [1870, 1884]}, {"key": "legal-basis", "type": "definition", "offset": [1885, 1896]}, {"key": "status-of", "type": "clause", "offset": [1958, 1967]}, {"key": "impact-assessment", "type": "clause", "offset": [2042, 2059]}, {"key": "requested-by", "type": "clause", "offset": [2217, 2229]}, {"key": "unauthorised-disclosure", "type": "clause", "offset": [2512, 2535]}, {"key": "processing-of-the-personal-data", "type": "clause", "offset": [2546, 2577]}, {"key": "violation-of-the", "type": "clause", "offset": [2581, 2597]}, {"key": "electronic-registration", "type": "clause", "offset": [2713, 2736]}, {"key": "use-of-personal-data", "type": "clause", "offset": [2754, 2774]}, {"key": "the-registration", "type": "clause", "offset": [2790, 2806]}, {"key": "user-access", "type": "definition", "offset": [2847, 2858]}, {"key": "software-and-hardware", "type": "clause", "offset": [2884, 2905]}, {"key": "be-safe", "type": "definition", "offset": [2953, 2960]}, {"key": "transferred-electronically", "type": "definition", "offset": [3023, 3049]}, {"key": "storage-media", "type": "definition", "offset": [3116, 3129]}, {"key": "not-accessible", "type": "definition", "offset": [3191, 3205]}, {"key": "unauthorised-persons", "type": "definition", "offset": [3209, 3229]}, {"key": "staff-members", "type": "definition", "offset": [3272, 3285]}, {"key": "instructions-and-guidelines", "type": "clause", "offset": [3455, 3482]}, {"key": "processing-personal-data", "type": "clause", "offset": [3594, 3618]}, {"key": "security-requirements", "type": "definition", "offset": [3641, 3662]}, {"key": "the-repair", "type": "definition", "offset": [3683, 3693]}, {"key": "security-regulations", "type": "clause", "offset": [3859, 3879]}, {"key": "to-the-extent", "type": "clause", "offset": [3891, 3904]}, {"key": "use-of-home", "type": "clause", "offset": [3935, 3946]}, {"key": "period-of-time", "type": "clause", "offset": [4043, 4057]}, {"key": "reasonable-time", "type": "definition", "offset": [4157, 4172]}, {"key": "change-of", "type": "clause", "offset": [4208, 4217]}, {"key": "storage-location", "type": "definition", "offset": [4218, 4234]}, {"key": "data-centre-location", "type": "definition", "offset": [4287, 4307]}, {"key": "physical-address", "type": "clause", "offset": [4309, 4325]}, {"key": "confidentiality-and-secrecy", "type": "clause", "offset": [4327, 4354]}, {"key": "business-partners", "type": "definition", "offset": [4443, 4460]}, {"key": "temporary-staff", "type": "clause", "offset": [4484, 4499]}, {"key": "subject-to-the", "type": "definition", "offset": [4509, 4523]}, {"key": "secrecy-and-confidentiality", "type": "clause", "offset": [4532, 4559]}, {"key": "public-administration", "type": "clause", "offset": [4593, 4614]}, {"key": "section-27", "type": "clause", "offset": [4637, 4647]}, {"key": "the-danish", "type": "clause", "offset": [4651, 4661]}, {"key": "administration-act", "type": "definition", "offset": [4669, 4687]}, {"key": "criminal-code", "type": "definition", "offset": [4726, 4739]}, {"key": "obligations-under-the", "type": "clause", "offset": [5080, 5101]}, {"key": "to-maintain", "type": "clause", "offset": [5162, 5173]}, {"key": "termination-of-the-agreement", "type": "clause", "offset": [5219, 5247]}, {"key": "transfer-of-the-personal-data", "type": "clause", "offset": [5268, 5297]}, {"key": "prior-written-consent", "type": "clause", "offset": [5376, 5397]}, {"key": "responsibility-of-the", "type": "clause", "offset": [5499, 5520]}, {"key": "the-sub", "type": "clause", "offset": [5551, 5558]}, {"key": "applies-to", "type": "clause", "offset": [5635, 5645]}, {"key": "data-processing-agreements", "type": "clause", "offset": [5701, 5727]}, {"key": "similar-to", "type": "definition", "offset": [5761, 5771]}, {"key": "the-terms", "type": "definition", "offset": [5772, 5781]}, {"key": "set-out", "type": "definition", "offset": [5782, 5789]}, {"key": "compliance-with", "type": "clause", "offset": [5858, 5873]}, {"key": "the-request", "type": "clause", "offset": [5939, 5950]}, {"key": "a-copy-of-the", "type": "clause", "offset": [6006, 6019]}], "samples": [{"hash": "2jaYc3OlsfI", "uri": "/contracts/2jaYc3OlsfI#data-processors-obligations", "label": "Data Processing Agreement", "score": 27.3900318146, "published": true}], "snippet": "The Data Processor acts solely on behalf of and on instructions from the Data Controller in connection with the performance of the agreed Project tasks. The Data Controller thus decides the purposes for which the processing of personal data may take place. The Data Processor undertakes to comply with the Data Protection Rules. Among other things, the Data Processor must (list not exhaustive): Process personal data in accordance with the general principles laid down in Art. 5 of the General Data Protection Regulation. Assist the Data Controller in complying with and protecting the rights of the data subject(s). Prepare a record of processing activities, cf. Art 28(2) of the General Data Protection Regulation. Upon request, the Data Processor must provide the Data Controller with sufficient information to allow the Data Controller to ensure that appropriate technical and organisational security measures have been implemented. Among other things, this includes information about where the personal data are located, as well as physical access to the personal data, if so required by the Data Controller. The Data Processor must ensure that only persons who have a need for such information for the purpose of fulfilling the purpose of the agreement and instructions have access to the personal data. The Data Processor must not, except when instructed by the Data Controller, disclose data which come into the possession of the Data Processor in connection with the performance of the Data Processor\u2019s task. Moreover, the Data Processor must not use or process data from the data processing task for their own purposes or for purposes other than those stipulated by the Data Controller. If, in contravention of this agreement, the Data Processor processes data for their own purposes or for purposes other than the purposes stipulated by the Data Controller, an independent legal basis must exist, and the Data Processor will have the independent status of Data Controller for such processing. If the Data Controller finds that an impact assessment must be carried out, cf. Art. 35 of the General Data Protection Regulation, the Data Processor must contribute to carrying out this impact assessment, if so requested by the Data Controller. The Data Processor must implement appropriate technical and organisational security measures, cf. Art. 32 of the General Data Protection Regulation, to protect the personal data against accidental or unlawful destruction, loss or deterioration, and against any unauthorised disclosure, abuse or processing of the personal data in violation of the Data Protection Rules. As a minimum, the Data Processor is obliged to comply with the following security measures: Electronic registration (logging) of all use of personal data. As a minimum, the registration must contain information about time and user access. Systems, including both software and hardware, used in connection with data processing, must be safe to use and updated. Personal data which must be stored and/or transferred electronically must be encrypted. Personal data must be password-protected. Data storage media and prints must be stored in a safe manner, so that they are not accessible to unauthorised persons. The Data Processor must ensure that only staff members with a work-related purpose have access to the personal data. It must be ensured that the Data Processor's staff members are trained properly and provided with adequate instructions and guidelines on the processing of personal data. The Data Processor is obliged to ensure that the staff members involved in processing personal data are familiar with the security requirements. In connection with the repair and servicing of media containing personal data, and in connection with the discarding of such media, measures must be taken to protect the personal data. The above security regulations also apply to the extent that the Data Processor makes use of home or remote workstations. If the Data Processor is to store personal data for a shorter or longer period of time, the Data Processor is obliged to state where the data are stored. The Data Processor must, within reasonable time, inform the Data Controller of any change of storage location. This form must be filled in by the Data Processor. Data centre location (physical address) CONFIDENTIALITY AND SECRECY In connection with the processing of personal data, the Data Processor's staff members, business partners, external consultants, temporary staff etc. are subject to the duty of secrecy and confidentiality applying to staff members in the public administration. Reference is made to section 27 of the Danish Public Administration Act and sections 152-152(f) of the Danish Criminal Code The Data Processor and any Sub-processors are obliged to inform their own staff members, business partners, external consultants, temporary staff etc. about the duty of secrecy. The Data Processor must keep the personal data confidential, and is thus only entitled to use the personal data as part of the fulfilment of the Data Processor's obligations under the Data Processing Agreement. The Data Processor's obligations to maintain secrecy and confidentiality also apply after termination of the agreement. SUB-PROCESSORS Any transfer of the personal data on the part of the Data Processor to one or more Sub-processors is subject to prior written consent by the Data Controller. If written consent has been obtained in accordance with the above, it is the responsibility of the Data Processor to ensure that the Sub-processors comply with the Data Processing Agreement, as the agreement also applies to Sub-processors. The Data Processor must have concluded data processing agreements with any Sub-processors on terms similar to the terms set out in the present Data Processing Agreement, and must generally ensure compliance with Art. 28(2) and (4) of the General Data Protection Regulation. At the request of the Data Controller, the Data Processor must supply a copy of the sub-processor agreement(s).", "hash": "9421328f963f37f1e7f453851b08049f", "id": 5}, {"size": 2, "snippet_links": [{"key": "the-processor", "type": "definition", "offset": [5, 18]}, {"key": "documented-instructions", "type": "definition", "offset": [43, 66]}, {"key": "the-controller", "type": "clause", "offset": [99, 113]}, {"key": "or-personnel", "type": "definition", "offset": [138, 150]}, {"key": "with-respect-to", "type": "clause", "offset": [152, 167]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [168, 199]}, {"key": "in-the-agreement", "type": "clause", "offset": [256, 272]}, {"key": "data-processor", "type": "clause", "offset": [403, 417]}, {"key": "will-provide", "type": "clause", "offset": [418, 430]}, {"key": "assistance-to-the-data-controller", "type": "clause", "offset": [442, 475]}, {"key": "complying-with", "type": "clause", "offset": [494, 508]}, {"key": "data-subject", "type": "clause", "offset": [533, 545]}, {"key": "applicable-regulatory-authorities", "type": "definition", "offset": [583, 616]}, {"key": "in-relation-to", "type": "clause", "offset": [678, 692]}, {"key": "the-personal-data", "type": "definition", "offset": [693, 710]}, {"key": "where-necessary", "type": "definition", "offset": [749, 764]}, {"key": "notice-to-the", "type": "clause", "offset": [781, 794]}, {"key": "in-accordance-with", "type": "definition", "offset": [808, 826]}, {"key": "data-protection", "type": "clause", "offset": [827, 842]}, {"key": "data-to-be-provided", "type": "clause", "offset": [886, 905]}, {"key": "other-party", "type": "definition", "offset": [927, 938]}, {"key": "contemplated-by-this-agreement", "type": "clause", "offset": [942, 972]}, {"key": "territorial-boundaries", "type": "definition", "offset": [1050, 1072]}, {"key": "the-transferor", "type": "clause", "offset": [1074, 1088]}, {"key": "the-recipient", "type": "definition", "offset": [1107, 1120]}, {"key": "contractual-obligations", "type": "definition", "offset": [1143, 1166]}, {"key": "this-addendum", "type": "definition", "offset": [1252, 1265]}], "samples": [{"hash": "DhFdBbRW4E", "uri": "/contracts/DhFdBbRW4E#data-processors-obligations", "label": "Data Processing Agreement", "score": 35.2966880798, "published": true}, {"hash": "foxYMPDuxwS", "uri": "/contracts/foxYMPDuxwS#data-processors-obligations", "label": "Data Processing Agreement", "score": 34.943561554, "published": true}], "snippet": "7.1. The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data (each, an \u201cInstruction\u201d).\n7.2. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.\n7.3. At the Data Controller\u2019s request, the Data Processor will provide reasonable assistance to the Data Controller in responding to/ complying with requests/ directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding Data Processor\u2019s Processing of Personal Data.\n7.4. In relation to the Personal Data, Data Processor shall obtain consent (where necessary) and/or provide notice to the Data Subject in accordance with Data Protection LMicrosoft Azure to enable shared Personal Data to be provided to, and used by, the other Party as contemplated by this Agreement.\n7.5. Where shared Personal Data is transferred outside the Data Processor\u2019s territorial boundaries, the transferor shall ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and the Data Protection LMicrosoft Azure.", "hash": "50d07f36d7500722a716f2b3a28da255", "id": 6}, {"size": 2, "snippet_links": [{"key": "scope-of-data-processing", "type": "clause", "offset": [110, 134]}, {"key": "the-data-controller", "type": "definition", "offset": [164, 183]}, {"key": "to-third-parties", "type": "clause", "offset": [247, 263]}, {"key": "information-on", "type": "clause", "offset": [362, 376]}, {"key": "data-and-information", "type": "definition", "offset": [408, 428]}, {"key": "processing-of-data", "type": "clause", "offset": [437, 455]}, {"key": "to-the-extent", "type": "clause", "offset": [514, 527]}, {"key": "in-writing", "type": "definition", "offset": [575, 585]}, {"key": "assist-the", "type": "clause", "offset": [616, 626]}, {"key": "completion-of", "type": "clause", "offset": [697, 710]}, {"key": "applicable-data-protection-law", "type": "definition", "offset": [759, 789]}, {"key": "an-individual", "type": "clause", "offset": [812, 825]}, {"key": "access-by-third-parties", "type": "clause", "offset": [1202, 1225]}, {"key": "documents-and-files", "type": "clause", "offset": [1227, 1246]}, {"key": "prior-written-consent", "type": "clause", "offset": [1348, 1369]}, {"key": "privacy-officer", "type": "definition", "offset": [1435, 1450]}, {"key": "electronic-mail", "type": "definition", "offset": [1534, 1549]}, {"key": "for-the-purpose-of", "type": "definition", "offset": [1574, 1592]}, {"key": "personal-data-processing", "type": "clause", "offset": [1600, 1624]}, {"key": "as-intended", "type": "definition", "offset": [1714, 1725]}, {"key": "the-objective", "type": "clause", "offset": [1833, 1846]}, {"key": "as-required", "type": "clause", "offset": [1909, 1920]}, {"key": "party-access", "type": "clause", "offset": [1957, 1969]}, {"key": "provide-a", "type": "definition", "offset": [2032, 2041]}, {"key": "security-program", "type": "clause", "offset": [2097, 2113]}, {"key": "changes-to-the-system", "type": "clause", "offset": [2226, 2247]}, {"key": "data-security", "type": "definition", "offset": [2319, 2332]}, {"key": "notify-the", "type": "clause", "offset": [2368, 2378]}, {"key": "violation-of-applicable-law", "type": "clause", "offset": [2448, 2475]}, {"key": "on-hold", "type": "definition", "offset": [2512, 2519]}, {"key": "contractual-terms", "type": "clause", "offset": [2737, 2754]}, {"key": "in-the-course-of", "type": "definition", "offset": [2812, 2828]}, {"key": "a-third-party", "type": "clause", "offset": [2840, 2853]}, {"key": "to-be-processed", "type": "clause", "offset": [2976, 2991]}, {"key": "data-processors", "type": "clause", "offset": [3021, 3036]}, {"key": "places-of-business", "type": "definition", "offset": [3065, 3083]}, {"key": "preparation-of", "type": "clause", "offset": [3376, 3390]}, {"key": "a-list", "type": "definition", "offset": [3391, 3397]}, {"key": "required-information", "type": "clause", "offset": [3458, 3478]}, {"key": "without-delay", "type": "definition", "offset": [3558, 3571]}, {"key": "in-case-of-a", "type": "clause", "offset": [3572, 3584]}, {"key": "relevant-supervisory-authority", "type": "definition", "offset": [3612, 3642]}, {"key": "adequate-documentation", "type": "clause", "offset": [3777, 3799]}], "samples": [{"hash": "huqBIEmlXkj", "uri": "/contracts/huqBIEmlXkj#data-processors-obligations", "label": "Advertiser Terms and Conditions", "score": 23.5954818726, "published": true}], "snippet": "4.1. The Data Processor processes personal data under concluded agreements only, with the purpose, nature and scope of data processing being subject exclusively to the Data Controller\u2019s direction. The Data Processor may not transfer personal data to third parties. The Data Processor shall, upon the Data Controller\u2019s request, provide to the Data Controller all information on the Data Controller\u2019s personal data and information. In its processing of data, the Data Processor may deviate from such directions only to the extent that the Data Controller has consented thereto in writing.\n4.2. The Data Processor will assist the Data Controller with the implementation as well as the full and swift completion of controls. Where the Data Controller, based upon applicable data protection law, is obliged to inform an individual about the collection, processing or use of its personal data, the Data Processor shall assist the Data Controller in making this information.\n4.3. The Data Controller shall retain title as to any carrier media provided to the Data Processor as well as any copies or reproductions thereof. The Data Processor shall store such media safely and protect them against unauthorised access by third parties. Documents and files containing personal data that are no longer needed must not be deleted without the Data Controller\u2019s prior written consent.\n4.4. The Data Processor hereby confirms that it has appointed a privacy officer, and undertakes to identify the privacy officer to the Data Controller in writing (electronic mail being admissible).\n4.5. For the purpose of proper personal data processing, the Data Processor represents and warrants that all agreed measures will be implemented as intended.\n4.6. The Data Processor must ensure that its enterprise and the course of its operations are aligned with the objective protecting the data processed on the Data Controller\u2019s behalf as required \u2013 e.g., against unauthorised third- party access. Upon the Data Controller\u2019s request, the Data Processor shall provide a comprehensive and current personal data protection and security program covering processing hereunder. The Data Processor will duly consult the Data Controller before implementing any changes to the system of procession the Data Controller\u2019s data, provided such changes affect data security.\n4.7. Data Processor will promptly notify the Data Controller if and when it deems the latter\u2019s Direction to be in violation of applicable law, and the Data Processor shall place on hold the Data Controller\u2019s Direction until the Direction is compliant, by the Data Controller.\n4.8. The Data Processor is obliged to promptly inform the Data Controller of each violation of Data protection law provisions, contractual terms and/or the Data Controller\u2019s Direction that has occurred in the course of its own or a third party\u2019s processing of data.\n4.9. The Data Controller\u2019s consent is required for any data handled on the Data Controller\u2019s behalf to be processed at a location other than the Data Processors\u2019 \u2013 or any subcontractor\u2019s \u2013 places of business.\n4.10. The Data Processor must adequately label the data it processes on the Data Controller\u2019s behalf. Insofar as data is processed for more than one purpose, the Data Processor must tag the data with the appropriate purpose.\n4.11. The Data Processor must assist the Data Controller with the preparation of a list of procedures and will furnish the Data Controller with any required information in a suitable manner.\n4.12. The Data Processor must inform the Data Controller without delay in case of a control or measures of the relevant Supervisory Authority.\n4.13. The Data Processor shall be obliged to audit and verify the fulfilment of the above-entitled obligations and shall maintain an adequate documentation of such verification.", "hash": "25e3c7f5a23d67939c2cbbcacc5ab381", "id": 7}, {"size": 2, "snippet_links": [{"key": "to-ensure", "type": "clause", "offset": [5, 14]}, {"key": "the-processor", "type": "definition", "offset": [53, 66]}, {"key": "processing-operations", "type": "clause", "offset": [108, 129]}, {"key": "in-compliance-with", "type": "definition", "offset": [130, 148]}, {"key": "data-protection-regulations", "type": "definition", "offset": [166, 193]}, {"key": "the-principles", "type": "clause", "offset": [205, 219]}, {"key": "chapter-2", "type": "clause", "offset": [232, 241]}, {"key": "process-personal-data", "type": "definition", "offset": [280, 301]}, {"key": "basis-of", "type": "clause", "offset": [309, 317]}, {"key": "for-purposes", "type": "definition", "offset": [354, 366]}, {"key": "relating-to", "type": "definition", "offset": [367, 378]}, {"key": "services-included", "type": "clause", "offset": [396, 413]}, {"key": "management-of", "type": "clause", "offset": [488, 501]}, {"key": "technical-problems", "type": "clause", "offset": [512, 530]}, {"key": "the-obligations", "type": "clause", "offset": [542, 557]}, {"key": "data-processor", "type": "clause", "offset": [582, 596]}, {"key": "register-of-processing-activities", "type": "clause", "offset": [691, 724]}, {"key": "paragraph-2", "type": "clause", "offset": [785, 796]}, {"key": "where-required", "type": "clause", "offset": [821, 835]}, {"key": "data-protection-officer", "type": "definition", "offset": [865, 888]}, {"key": "article-37", "type": "definition", "offset": [901, 911]}, {"key": "paragraph-1", "type": "clause", "offset": [913, 924]}, {"key": "aimed-at", "type": "definition", "offset": [1045, 1053]}, {"key": "adequate-level", "type": "definition", "offset": [1065, 1079]}, {"key": "the-processing", "type": "clause", "offset": [1096, 1110]}, {"key": "provide-the", "type": "clause", "offset": [1165, 1176]}, {"key": "information-and-documentation", "type": "clause", "offset": [1197, 1226]}, {"key": "requested-by", "type": "clause", "offset": [1227, 1239]}, {"key": "in-order-to", "type": "clause", "offset": [1255, 1266]}, {"key": "from-time-to-time", "type": "clause", "offset": [1285, 1302]}, {"key": "appropriate-technical-and-organisational-measures", "type": "clause", "offset": [1341, 1390]}, {"key": "processing-on-behalf-of-the-controller", "type": "clause", "offset": [1422, 1460]}, {"key": "the-provisions", "type": "clause", "offset": [1462, 1476]}, {"key": "contained-in", "type": "definition", "offset": [1494, 1506]}, {"key": "data-processing-agreement", "type": "clause", "offset": [1512, 1537]}, {"key": "where-applicable", "type": "clause", "offset": [1581, 1597]}, {"key": "collection-of-personal-data", "type": "clause", "offset": [1704, 1731]}, {"key": "subsequent-processing", "type": "clause", "offset": [1740, 1761]}, {"key": "compliance-with-the-law", "type": "clause", "offset": [1774, 1797]}, {"key": "privacy-policy", "type": "definition", "offset": [1804, 1818]}, {"key": "data-processing-consent", "type": "clause", "offset": [1836, 1859]}, {"key": "data-subjects", "type": "definition", "offset": [1938, 1951]}, {"key": "necessary-for", "type": "definition", "offset": [1973, 1986]}, {"key": "to-third-parties", "type": "clause", "offset": [2037, 2053]}, {"key": "prior-written-consent", "type": "clause", "offset": [2076, 2097]}, {"key": "measures-to", "type": "clause", "offset": [2178, 2189]}, {"key": "data-collected", "type": "clause", "offset": [2237, 2251]}, {"key": "pertaining-to", "type": "definition", "offset": [2288, 2301]}, {"key": "outside-the-european-union", "type": "clause", "offset": [2350, 2376]}, {"key": "directly-or-indirectly", "type": "clause", "offset": [2378, 2400]}, {"key": "general-principles", "type": "definition", "offset": [2567, 2585]}, {"key": "conditions-applicable", "type": "clause", "offset": [2590, 2611]}, {"key": "chapter-5", "type": "definition", "offset": [2641, 2650]}, {"key": "level-of-protection", "type": "definition", "offset": [2739, 2758]}, {"key": "for-example", "type": "clause", "offset": [2814, 2825]}, {"key": "adequacy-decisions", "type": "clause", "offset": [2827, 2845]}, {"key": "standard-clauses", "type": "definition", "offset": [2847, 2863]}, {"key": "binding-corporate-rules", "type": "clause", "offset": [2865, 2888]}, {"key": "codes-of-conduct", "type": "definition", "offset": [2890, 2906]}, {"key": "access-to-personal-data", "type": "clause", "offset": [2962, 2985]}, {"key": "the-framework-agreement", "type": "definition", "offset": [3061, 3084]}, {"key": "authorised-persons", "type": "definition", "offset": [3108, 3126]}, {"key": "authority-of-the", "type": "clause", "offset": [3144, 3160]}, {"key": "based-on", "type": "definition", "offset": [3171, 3179]}, {"key": "list-of-persons", "type": "clause", "offset": [3388, 3403]}, {"key": "available-to", "type": "definition", "offset": [3454, 3466]}, {"key": "upon-request", "type": "definition", "offset": [3482, 3494]}, {"key": "obligation-to-maintain-confidentiality", "type": "clause", "offset": [3675, 3713]}, {"key": "the-risk", "type": "clause", "offset": [3865, 3873]}, {"key": "additional-security-measures", "type": "clause", "offset": [3939, 3967]}, {"key": "article-10", "type": "definition", "offset": [3980, 3990]}, {"key": "the-union", "type": "definition", "offset": [4078, 4087]}, {"key": "pursuant-to-article-27", "type": "clause", "offset": [4089, 4111]}, {"key": "collaborate-with", "type": "clause", "offset": [4134, 4150]}, {"key": "other-measures", "type": "clause", "offset": [4183, 4197]}, {"key": "with-applicable-laws", "type": "clause", "offset": [4276, 4296]}, {"key": "breach-of-personal-data", "type": "clause", "offset": [4330, 4353]}, {"key": "without-undue-delay", "type": "definition", "offset": [4354, 4373]}, {"key": "the-interested-parties", "type": "clause", "offset": [4592, 4614]}, {"key": "article-34", "type": "definition", "offset": [4627, 4637]}, {"key": "to-provide", "type": "clause", "offset": [4661, 4671]}, {"key": "relevant-documentation", "type": "clause", "offset": [4676, 4698]}, {"key": "paragraph-3", "type": "definition", "offset": [4750, 4761]}, {"key": "written-request", "type": "definition", "offset": [4840, 4855]}, {"key": "required-by-law", "type": "definition", "offset": [4909, 4924]}, {"key": "relevant-matter", "type": "definition", "offset": [5036, 5051]}, {"key": "purposes-of", "type": "clause", "offset": [5068, 5079]}, {"key": "results-of-inspections", "type": "clause", "offset": [5190, 5212]}, {"key": "access-data", "type": "definition", "offset": [5252, 5263]}], "samples": [{"hash": "fywIV9hsxKE", "uri": "/contracts/fywIV9hsxKE#data-processors-obligations", "label": "Framework Agreement", "score": 28.4439182281, "published": true}], "snippet": "4.1. To ensure personal data is processed correctly, the Processor commits to:\na) perform all personal data processing operations in compliance with current personal data protection regulations, including the principles outlined in Chapter 2 (Articles 5-11) of the Regulation;\nb) process personal data on the basis of the binding Framework Agreement and for purposes relating to the provision of services included therein, as well as for purposes strictly related and instrumental to the management of connected technical problems;\nc) ensure the obligations imposed directly on the Data Processor by the Regulation are fully respected, including, by way of example, the obligation to keep a register of processing activities performed on behalf of a Controller pursuant to Article 30, Paragraph 2 of the Regulation, and, where required, the obligation to appoint a Data Protection Officer pursuant to Article 37, Paragraph 1 of the Regulation;\nd) implement, in compliance with Article 32 of the Regulation, technical and organisational measures aimed at ensuring a adequate level of security for the processing operations performed on behalf of the Controller, and provide the Controller with the information and documentation requested by the Controller in order to assess and verify from time to time whether the Processor has implemented appropriate technical and organisational measures;\ne) follow, in performing data processing on behalf of the Controller, the provisions and instructions contained in this Data Processing Agreement;\nf) in collecting subjects\u2019 personal data, where applicable, the Processor shall do so respecting the specific methods agreed with the Controller so as to ensure the collection of personal data and its subsequent processing are done in compliance with the law (e.g. privacy policy and requests for data processing consent provided by the Controller; traceability and conservation of consent given by data subjects);\ng) unless strictly necessary for the provision of Services, not to share or reveal to third parties personal data without prior written consent from the Controller and to implement the necessary organisational and technical measures to ensure maximum confidentiality of the personal data collected and used in carrying out activities pertaining to this designation;\nh) not transfer personal data outside the European Union, directly or indirectly (via possible third parties that have been given written authorisation by the Controller) without prior written authorisation from the Controller, and to respect the general principles and conditions applicable in transfers, as outlined in Chapter 5 of the Regulation, informing the Controller of the measures taken to ensure an adequate level of protection for the data transferred and for the subjects\u2019 rights (for example, adequacy decisions, standard clauses, binding corporate rules, codes of conduct, certifications, etc.);\ni) ensure that staff only have access to personal data when needed and that processing operations relating to the carrying out of the Framework Agreement are undertaken only by authorised persons acting under the authority of the Processor based on appropriate instructions;\nj) sufficiently train the authorised persons appointed to implement the Framework Agreement by providing them with precise instructions and ensuring they are observed. An up-to-date list of persons authorised to process personal data shall be made available to the Controller upon request;\nk) ensure that all physical persons (employees and/or collaborators) authorised to process personal data for the above purposes commit to maintain confidentiality or have a legal obligation to maintain confidentiality;\nl) implement, keep updated and regularly assess all technical and organisational measures needed to ensure a level of security that is appropriate to the risk, in compliance with Article 32 of the Regulation, as well as the additional security measures included in Article 10 of this Data Processing Agreement;\nm) designate, where applicable, a Representative in the Union, pursuant to Article 27 of the Regulation;\nn) collaborate with the Controller to implement any other measures that should become necessary to ensure that personal data processing complies with applicable laws;\no) inform the Controller of any breach of personal data without undue delay, or in any case within 24 hours from when this is discovered, and collaborate with the Controller in the analyses and assessments required to inform the control authorities pursuant to Article 33 of the Regulation and the interested parties pursuant to Article 34 of the Regulation, and to provide the relevant documentation, including the disclosure mentioned in Article 35, Paragraph 3;\np) provide the Controller with a written update, when the Controller makes a written request, of details relating to the fulfilment of everything required by law and by this Data Processing Agreement;\nq) the Processor shall inform the Controller without undue delay of any relevant matter relating to the purposes of this Data Processing Agreement, such as, by way of example: - requests from the Data Protection Supervisor; - results of inspections; - requests from public authorities to access data.", "hash": "19e9963fb95b311c45e0033d7acb8568", "id": 8}, {"size": 2, "snippet_links": [{"key": "to-the-extent", "type": "clause", "offset": [4, 17]}, {"key": "data-processor", "type": "clause", "offset": [27, 41]}, {"key": "in-the-course-of", "type": "definition", "offset": [66, 82]}, {"key": "providing-the-services", "type": "clause", "offset": [83, 105]}, {"key": "each-party", "type": "definition", "offset": [107, 117]}, {"key": "the-data-protection-legislation", "type": "definition", "offset": [157, 188]}, {"key": "the-processor", "type": "definition", "offset": [211, 224]}, {"key": "scope-of-this-dpa", "type": "clause", "offset": [328, 345]}, {"key": "process-personal-data", "type": "definition", "offset": [393, 414]}, {"key": "on-behalf-of", "type": "definition", "offset": [415, 427]}, {"key": "the-data-controller", "type": "definition", "offset": [428, 447]}, {"key": "in-accordance-with", "type": "definition", "offset": [448, 466]}, {"key": "documented-instructions", "type": "definition", "offset": [471, 494]}, {"key": "personal-data-provided", "type": "clause", "offset": [673, 695]}, {"key": "all-employees", "type": "clause", "offset": [801, 814]}, {"key": "handling-of-personal-data", "type": "clause", "offset": [865, 890]}, {"key": "confidential-nature", "type": "definition", "offset": [915, 934]}, {"key": "the-personal-data", "type": "definition", "offset": [938, 955]}, {"key": "terms-of", "type": "clause", "offset": [1139, 1147]}, {"key": "measures-to", "type": "clause", "offset": [1240, 1251]}, {"key": "state-of-the-art", "type": "clause", "offset": [1299, 1315]}, {"key": "costs-of", "type": "definition", "offset": [1321, 1329]}, {"key": "the-nature", "type": "clause", "offset": [1349, 1359]}, {"key": "purposes-of-processing", "type": "clause", "offset": [1380, 1402]}, {"key": "rights-and-freedoms", "type": "clause", "offset": [1466, 1485]}, {"key": "natural-persons", "type": "clause", "offset": [1489, 1504]}, {"key": "inter-alia", "type": "clause", "offset": [1655, 1665]}, {"key": "encryption-of-personal-data", "type": "clause", "offset": [1713, 1740]}, {"key": "ability-to-ensure", "type": "clause", "offset": [1752, 1769]}, {"key": "availability-and-resilience-of-processing-systems-and-services", "type": "clause", "offset": [1811, 1873]}, {"key": "access-to-personal-data", "type": "clause", "offset": [1925, 1948]}, {"key": "in-a-timely-manner", "type": "definition", "offset": [1949, 1967]}, {"key": "in-the-event-of-a", "type": "clause", "offset": [1968, 1985]}, {"key": "technical-incident", "type": "definition", "offset": [1998, 2016]}, {"key": "measures-for-ensuring", "type": "definition", "offset": [2132, 2153]}, {"key": "security-of-the-processing", "type": "clause", "offset": [2158, 2184]}, {"key": "in-particular", "type": "clause", "offset": [2257, 2270]}, {"key": "the-risks", "type": "clause", "offset": [2274, 2283]}, {"key": "presented-by", "type": "definition", "offset": [2293, 2305]}, {"key": "disclosure-of", "type": "clause", "offset": [2404, 2417]}, {"key": "the-technical", "type": "clause", "offset": [2494, 2507]}, {"key": "security-policy", "type": "definition", "offset": [2552, 2567]}, {"key": "at-all-times", "type": "clause", "offset": [2574, 2586]}, {"key": "security-standard", "type": "definition", "offset": [2614, 2631]}, {"key": "to-development", "type": "clause", "offset": [2731, 2745]}, {"key": "and-review", "type": "clause", "offset": [2746, 2756]}, {"key": "set-out", "type": "definition", "offset": [2965, 2972]}, {"key": "pursuant-to-the", "type": "definition", "offset": [3012, 3027]}, {"key": "in-clauses", "type": "clause", "offset": [3057, 3067]}, {"key": "nature-of-the-processing", "type": "clause", "offset": [3115, 3139]}, {"key": "available-to", "type": "definition", "offset": [3160, 3172]}, {"key": "assist-the", "type": "clause", "offset": [3218, 3228]}, {"key": "in-place", "type": "clause", "offset": [3255, 3263]}, {"key": "respond-to", "type": "clause", "offset": [3402, 3412]}, {"key": "requests-for", "type": "clause", "offset": [3413, 3425]}, {"key": "data-subject", "type": "clause", "offset": [3441, 3453]}, {"key": "compliance-with-the", "type": "clause", "offset": [3489, 3508]}, {"key": "data-protection-obligations", "type": "definition", "offset": [3527, 3554]}, {"key": "in-respect-of", "type": "clause", "offset": [3555, 3568]}], "samples": [{"hash": "4y4ZYJhyV1W", "uri": "/contracts/4y4ZYJhyV1W#data-processors-obligations", "label": "Data Processing Agreement", "score": 26.1006164551, "published": true}], "snippet": "4.1 To the extent that the Data Processor processes Personal Data in the course of providing the Services, each party acknowledges that, for the purposes of the Data Protection Legislation the Data Processor is the processor of any Personal Data.\n4.2 The Data Processor may collect, process or use Personal Data only within the scope of this DPA.\n4.3 The Data Processor confirms that it shall process Personal Data on behalf of the Data Controller in accordance with the documented instructions of the Data Controller.\n4.4 The Data Processor shall promptly inform the Data Controller, if in the Data Processor\u2019s opinion, any of the instructions regarding the processing of Personal Data provided by the Data Controller, breach any Data Protection Legislation.\n4.5 The Data Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data:\n4.5.1 Are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;\n4.5.2 Have received appropriate training on their responsibilities as a data processor; and\n4.5.3 Are bound by the terms of this DPA.\n4.5.4 The Data Processor shall implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.\n4.6 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:\n4.6.1 the pseudonymisation and encryption of Personal Data;\n4.6.2 the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;\n4.6.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;\n4.6.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.\n4.7 The technical and organisational measures detailed in the Security Policy shall at all times be adhered to as a minimum security standard. The Data Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Data Processor may use alternative suitable measures to those detailed in the attachments to this DPA, provided such measures are at least equivalent to the technical and organisational measures set out in the Security Policy and appropriate pursuant to the Data Processor\u2019s obligations in clauses 4.5 and 4.6 above.\n4.8 Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights and the Data Controller\u2019s compliance with the Data Controller\u2019s data protection obligations in respect of the processing of Personal Data.\n4.9 The Data Processor may not:", "hash": "1754e8e284897aa910cf287faf3c4a72", "id": 9}, {"size": 1, "snippet_links": [{"key": "basic-obligations", "type": "clause", "offset": [4, 21]}, {"key": "data-processor", "type": "clause", "offset": [26, 40]}, {"key": "process-personal-data", "type": "definition", "offset": [52, 73]}, {"key": "in-accordance-with", "type": "definition", "offset": [84, 102]}, {"key": "the-data-controller", "type": "definition", "offset": [122, 141]}, {"key": "the-gdpr", "type": "definition", "offset": [165, 173]}, {"key": "written-agreement", "type": "clause", "offset": [244, 261]}, {"key": "written-instructions", "type": "definition", "offset": [290, 310]}, {"key": "for-the-purposes", "type": "clause", "offset": [361, 377]}, {"key": "data-processing-agreement", "type": "clause", "offset": [396, 421]}, {"key": "assist-the", "type": "clause", "offset": [452, 462]}, {"key": "nature-of-the-processing", "type": "clause", "offset": [504, 528]}, {"key": "available-to", "type": "definition", "offset": [549, 561]}, {"key": "the-obligations", "type": "clause", "offset": [610, 625]}, {"key": "pursuant-to-the", "type": "definition", "offset": [626, 641]}, {"key": "make-available", "type": "definition", "offset": [677, 691]}, {"key": "all-information", "type": "clause", "offset": [715, 730]}, {"key": "article-28", "type": "definition", "offset": [833, 843]}, {"key": "notify-the", "type": "clause", "offset": [874, 884]}], "samples": [{"hash": "hOGDWCCbe6i", "uri": "/contracts/hOGDWCCbe6i#data-processors-obligations", "label": "Data Processing Agreement", "score": 29.6620464325, "published": true}], "snippet": "5.1 Basic Obligations\n(a) Data Processor shall only process Personal Data upon, and in accordance with, instructions from the Data Controller and in accordance with the GDPR.\n(b) The Data Processor shall not process Personal Data without prior written agreement with the Data Controller or written instructions from the Data Controller beyond what is necessary for the purposes specified in this Data Processing Agreement.\n(c) The Data Processor shall assist the Data Controller, taking into account the nature of the processing and the information available to the Data Processor, in ensuring compliance with the obligations pursuant to the GDPR Article 32 to 36, and further make available to the Data Controller all information necessary to demonstrate that the Data Controller complies with the obligations laid down in the GDPR Article 28.\n(d) The Data Processor shall notify the Data Controller if the Data Processor receives instructions from the Data Controller that violates the GDPR.", "hash": "abe65b6ff1a519da9c5677aeff5d6f42", "id": 10}], "next_curs": "CmQSXmoVc35sYXdpbnNpZGVyY29udHJhY3RzckALEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IiRkYXRhLXByb2Nlc3NvcnMtb2JsaWdhdGlvbnMjMDAwMDAwMGEMogECZW4YACAA", "clause": {"children": [["", ""], ["confidentiality", "Confidentiality"], ["where", "Where"], ["sell-personal-data", "Sell Personal Data"], ["instructions", "Instructions"]], "size": 56, "title": "Data Processor\u2019s Obligations", "parents": [["whereas", "Whereas"], ["disclosure-of-information", "Disclosure of Information"], ["execution", "EXECUTION"], ["general", "GENERAL"], ["independent-advice", "Independent advice"]], "id": "data-processors-obligations", "related": [["processors-obligations", "Processor\u2019s Obligations", "Processor\u2019s Obligations"], ["licensors-obligations", "Licensors Obligations", "Licensors Obligations"], ["vendors-obligations", "Vendor\u2019s Obligations", "Vendor\u2019s Obligations"], ["lessors-obligations", "Lessor's Obligations", "Lessor&#x27;s Obligations"], ["contractors-obligations", "Contractor\u2019s Obligations", "Contractor\u2019s Obligations"]], "related_snippets": [], "updated": "2025-07-23T06:00:56+00:00"}, "json": true, "cursor": ""}}