Common use of Data Protection Act Clause in Contracts

Data Protection Act. 17.1 For the purposes of this Clause 17.1, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) Process the Personnel Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified by the Authority; (b) comply with all applicable laws; (c) Process the Personal Data only to the extent; and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents who may have access to the Personal Data; (f) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure that all staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) ensure that none of the staff and agents publish disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 11.2.9.1 providing the Department with full details of the complaint or request; 11.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 11.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 11.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-Contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 11.2.9.1 providing the Department with full details of the complaint or request; 11.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 11.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 11.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-Contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-Contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.117, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 17.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 17.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 17.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 17.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 17.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 17.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause17; (i) ensure 17.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 17.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 17.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 17.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 17.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 17.2.9.1 providing the Department with full details of the complaint or request; 17.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 17.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 17.2.9.4 providing the Department with any information requested by the Department; 17.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 17.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 17.2.12 Not Process or otherwise transfer any Personal Data outside the European 17.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 17.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 17.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 17.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European 17.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 6.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.16, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 6.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 6.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 6.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 6.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 6.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 6.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 6.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 6; (i) ensure 6.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPADepartment; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 7.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 7.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 7.2.9.1 providing the Department with full details of the complaint or request; 7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 7.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 7.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure. 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 For the purposes of this Clause 17.15.2, the terms “"Data Controller”", “"Data Processor”", “Data Subject”, “"Personal Data”", “"Process” " and “Processing "Processing" shall have the meaning meanings prescribed under the DPA. 17.2 . The Prime Contractor shall (and shall ensure procure that all of its the Staff) comply with any notification requirements under the DPA and both Parties will duly observe all of their obligations under the DPA which arise in connection with the Contract. 17.3 . With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Contracting Body is the Data Controller and that the Prime Contractor is the Data Processor. Notwithstanding the general obligation in clause 17.2Clause 5.2.2, where the Prime Contractor is processing Processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Contracting Body the Prime Contractor shall: (a) shall:- Process the Personnel Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature) Contracting Body as set out in this the Contract or as otherwise notified by the Authority; (b) Contracting Body; comply with all applicable laws; (c) ; Process the Personal Data only to the extent; , and in such manner as is necessary for the provision of the Provider’s Prime Contractor's obligations under this Contract or as is required by Law or any Regulatory Body; (d) the Contract; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) ; take reasonable steps to ensure the reliability of its staff and agents all Staff who may have access to the Personal Data and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of Personal Data; (f) ; obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any sub- contractor agents, Sub-contractors or suppliers for the provision of the Services; Services (gsave that where Approval of any Sub-contractor has been granted by the Contracting Body pursuant to Clause 6.1 (which shall include the Approval of such Sub-contractor’s security plan) the Prime Contractor shall be entitled to transfer the Personal Data to such Sub-contractor without obtaining Approval pursuant to this Clause 5.2.3 (f)); not Process or otherwise cause or permit the Personal Data to be transferred outside of the European Economic Area without Approval. If, after the prior consent Commencement Date, the Prime Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside of the Authority; (h) European Economic Area, the following provisions shall apply:- the Prime Contractor shall comply with then-current Contracting Body, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and the Prime Contractor shall comply with such other instructions and shall carry out such other actions as the Contracting Body may notify in writing. ensure that all staff and agents Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) Clause 5.2; ensure that none of the staff and agents publish Staff publish, disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority Contracting Body; not disclose Personnel the Personal Data to any third parties in any circumstances other than with the written consent of the Authority Contracting Body or in compliance with a legal obligation imposed upon the AuthorityContracting Body; and 17.4 notify the Authority Contracting Body within five (within [five] 5) Working Days) Days if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.receives:-

Data Protection Act. 17.1 11.1 For the purposes of this Clause 17.1clause 11, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPAData Protection Act. 17.2 11.2 The Contractor shall (and shall ensure that all of its the Contractor’s Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contractthis Framework Agreement. 17.3 11.3 Notwithstanding the general obligation in clause 17.211.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Lead Procurer, the Contractor shall: (a) Process the Personnel Personal Data only in accordance with instructions from the Authority Lead Procurer (which may be specific instructions or instructions of a general nature) as set out in this Contract Framework Agreement or as otherwise notified by the AuthorityLead Procurer; (b) comply with all applicable lawsLaws; (c) Process the Personal Data only to the extent; extent and in such manner as is necessary for the provision of the Provider’s obligations under this Contract Framework Agreement or as is required by Law or any Regulatory Bodyregulatory body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful access, disclosure and Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful access, Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents the Contractor’s Staff who may have access to the Personal DataData (at a minimum by performing adequate screening of Contractor’s Staff as per clause 4.3.6 of this Framework Agreement); (f) obtain prior written consent from the Authority Lead Procurer in order to transfer the Personal Data to any sub- sub-contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred transferred, stored, accessed, viewed or Processed outside of the European Economic Area country where the research is primarily performed as agreed with the Lead Procurer, without the prior written consent of the AuthorityLead Procurer; (h) ensure that all staff and agents of Contractor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.111; (i) ensure that none of the staff and agents publish Contractor’s Staff publish, disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority not disclose Personnel Lead Procurer; (j) permit the Lead Procurer to inspect and audit the Contractor's (and its subcontractors’ to the extent permitted) data processing activities and comply with reasonable requests or directions by the Lead Procurer to enable it to verify and/or procure that the Contractor is in full compliance with its data protection obligations under this Framework Agreement; (k) on termination of the Framework Agreement for whatever reason, or upon the Lead Procurer’s earlier written request at any time, immediately cease to use or process any Personal Data received by or on behalf of the Lead Procurer under the Framework Agreement, and where practicable return that Personal Data to any third parties the Lead Procurer together with all copies in any circumstances other than with the written consent of the Authority its possession or in compliance with a legal obligation imposed upon the Authoritycontrol; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 For 30.1 In respect of any personal data provided to the purposes of this Clause 17.1, Service Provider to enable the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of Service Provider to perform its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise Contract, the Purchaser is the Controller and the Service Provider is the Processor. 30.2 The Service Provider shall comply with all applicable Data Protection Legislation in relation to Personal Data Processed by the Service Provider in connection with the ContractContract and shall not do anything or permit anything to be done which might lead to a breach of Data Protection Legislation or any other applicable laws. 17.3 Notwithstanding 30.3 Where the general obligation in clause 17.2, where the Contractor Service Provider is processing Processing Personal Data (as defined by the DPA) as a Data Processor for processor as a part of performing its obligations under the Authority the Contractor Contract it shall: (a) Process the Personnel only process Personal Data only in accordance with written instructions from the Authority Purchaser and shall not: i. subject to Clause 30.5, disclose or divulge (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified by the Authority; (b) comply with all applicable laws; (c) and ensure that persons authorised to Process the Personal Data only to the extent; and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents who may have access to the Personal Data; (f) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor for the provision of the Services; (g) do not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure that all staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) ensure that none of the staff and agents publish disclose or divulge divulge) any of the Personal Data personal data to any third parties unless directed in writing to do so by the Authority not disclose Personnel Purchaser; or ii. delete, destroy or remove any of the Personal Data to any third parties in any circumstances other than with without the prior written consent of the Authority Purchaser; or iii. transfer any Personal Data to a country or territory outside the European Economic Area other than in accordance with the terms of the Data Protection Legislation with the prior written approval of the Purchaser. b) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; c) implement appropriate technical and organisational measures to ensure the security of the personal data and Confidential Information and to ensure that no accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed will occur. Such measures may include encryption and pseudonymisation of data and other measures required by applicable Data Protection Legislation; d) notify the Purchaser immediately on becoming aware or suspecting that any Personal Data and/or Confidential Information has been lost, damaged or has become subject to a Personal Data Breach and provide any and all assistance in relation to such loss, damage and/or breach as the Purchaser may require, including assistance in relation to reporting such event to a relevant authority and/or the Data Subjects who have been affected by such event; e) promptly provide the Purchaser any: i. assistance requested by the Purchaser in order for the Purchaser to comply with Data Protection Legislation; and ii. information requested by the Purchaser for the Purchaser to verify that the Contract is performed in accordance with all applicable Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the Purchaser or another auditor mandated by the Purchaser. f) ensure that it does nothing which may place the Purchaser in breach of its obligations under the applicable Data Protection Legislation; g) taking into account the nature of the Processing, assist the Purchaser by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Purchaser’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Legislation; h) assist the Purchaser in ensuring compliance with the Purchaser’s obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation taking into account the nature of Processing and the information available to the Processor; i) at the choice of the Purchaser, delete or return all the Personal Data processed under the Contract to the Purchaser after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of the Personal Data; and j) inform the Purchaser immediately if, in the opinion of the Service Provider, an instruction given pursuant to sub-paragraph 30.4 infringes any Data Protection Legislation. In such cases the Service Provider shall use all reasonable endeavours to comply with its obligations. 30.4 The Purchaser hereby instructs the Service Provider to Process any Personal Data on the following lawful basis only: a) Processing is necessary for compliance with a legal obligation imposed upon to which the Authority; andController is subject; 17.4 notify b) Processing is necessary in order to protect the Authority (within [five] Working Days) if it receives: (a) a request from a vital interests of the Data Subject or of another natural person; c) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; d) Processing is necessary to have access to that person’s Personal Dataprotect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent; e) Processing is necessary for the Premises, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or (bf) a complaint Processing is necessary for reasons of substantial public interest, on the basis of Union or request relating Member State law which shall be proportionate to the Authorityaim pursued, respect the essence of the right to Data Protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject. 30.5 It is the Purchaser’s obligations responsibility to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Legislation and the Service Provider shall notify the Purchaser of any such requests it receives from Data Subjects and shall provide the Purchaser all reasonable assistance to allow the Purchaser to comply with applicable Data Protection Legislation with regard to such requests. 30.6 Where permitted under Clause 35 (Assignation and Sub-contracting) and otherwise under the DPA; 17.5 The provision Contract to do so, the Service Provider may sub-contract data processing duties undertaken on behalf of this Clause 17.1 shall apply during the Purchaser to third party suppliers provided that: (i) the same data protection obligations as set out in the Contract Period shall be imposed on such third party suppliers; and indefinitely after its expiry(ii) the Service Provider shall inform the Purchaser of any intended changes concerning the addition or replacement of such third party suppliers.

Data Protection Act. 17.1 11.1 For the purposes of this Clause 17.111, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 11.1.1 The parties recognise that they may handle Personal Data. Both parties shall comply with their legal obligations under the DPA. 11.1.2 The Contractor shall (and shall ensure that all of its Staff) must comply with any notification requirements its legal obligations under the DPA and both Parties will duly observe all their shall notify the Department, as soon as it becomes aware of any actual or potential data incident or breach of your obligations under the DPA which arise in connection with the relation to any personal data processed as a consequence of undertaking this Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where 11.2 Insofar as the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority The Department as a consequence of undertaking this contract the Contractor shall: (a) 11.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 11.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 11.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 11.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 11.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 11.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 11; (i) ensure 11.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 11.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] two Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; , or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 11.2.9 Where the department receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation the Contractor shall assist the Department by: 11.2.9.1 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department) 11.2.9.2 providing the Department with full cooperation and assistance in relation to any complaint or request made; 11.2.9.3 providing the Department with full details of the complaint or request; 11.2.9.4 providing the Department with any information requested by the Department; 11.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 11.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 11.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 11.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 11.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 11.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally. 11.2.13 The provision Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: 11.2.13.1 incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and 11.2.13.2 procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 11.3 Insofar as the contractor processes personal data for its own administrative purposes, whilst undertaking this Clause 17.1 contract the Contractor must comply at all times with the Data Protection Legislation and shall apply during not perform its obligations under this Contract in such a way as to cause the Contract Period and indefinitely after Department to breach any of its expiryapplicable obligations under the Data Protection Legislation.

Data Protection Act. 17.1 For 5.2.1 With respect to the purposes of Parties' rights and obligations under this Clause 17.1Contract, the terms “parties agree that the Authority is the Data Controller”, “Controller and that the Service Provider is the Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 5.2.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor Service Provider shall: (a) Process take all reasonable steps to process the Personnel Personal Data only in accordance with lawful and reasonable instructions from the Authority (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityAuthority to the Service Provider during the Contract Period); (b) comply with all applicable laws; (c) Process process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law or any Regulatory Body; (dc) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having have regard to the nature of the Personal Data which is to be protected, the state of technological development and the cost of implementing such measures; (ed) take use reasonable steps endeavours to ensure the reliability of its staff engage suitably skilled and agents qualified Service Provider Personnel who may have access to the Personal Data; (fe) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor anyone other than its Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (hf) ensure that all staff and agents Service Provider Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 5.2; (ig) ensure that none of the staff and agents publish Service Provider Personnel publish, disclose or divulge any of the Personal Data to any third parties party except where expressly authorised under this Agreement, or unless directed in writing to do so by the Authority not disclose Personnel Data or required to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; anddo so by Law; 17.4 (h) notify the Authority within ten (within [five] 10) Working Days) Days if it receives: (ai) a request from a Data Subject whose Personal Data is being processed by the Service Provider under this Agreement, to have access to that person’s 's Personal Data; or (bii) a complaint or request relating to the Authority’s 's obligations under the DPA; 17.5 (i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i) providing the Authority with full details of the complaint or request; (ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; (iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) providing the Authority with any information requested by the Authority in relation to the complaint or request; (j) permit the Authority or the Authority representative (subject to reasonable and appropriate confidentiality undertakings), and where legally permissible to inspect and audit, in accordance with Clause 5.9 (Records and Audit Access), the Service Provider's data Processing activities (and/or those of its agents, subsidiaries and Sub-Service Providers) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Service Provider is in full compliance with its obligations under this Contract; (k) provide a written description of the technical and organisational methods employed by the Service Provider for processing Personal Data (within the timescales reasonably required by the Authority); and (l) not process Personal Data outside the European Economic Area, except where such transfer and processing: (i) is in compliance with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the DPA by providing an adequate level of protection to any Personal Data that is transferred; and (ii) complies with any reasonable instructions notified to it by the Authority; and (iii) is with the Approval of the Authority. 5.2.3 The provision Service Provider shall comply at all times with the DPA in connection with its data privacy obligations under this Agreement and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. 5.2.4 For the purposes of Clause 5.2, the terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "Process" and "Processing" shall have the meanings prescribed under the DPA. 5.2.5 The provisions of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 26.1 For the purposes of this Clause 17.126, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 26.1.1 The parties recognise that they may handle Personal Data. Both parties shall comply with their legal obligations under the DPA. 26.1.2 The Contractor shall (and shall ensure that all of its Staff) must comply with any notification requirements its legal obligations under the DPA and both Parties will duly observe all their shall notify the Department, as soon as it becomes aware of any actual or potential data incident or breach of your obligations under the DPA which arise in connection with the relation to any personal data processed as a consequence of undertaking this Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where 26.2 Insofar as the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority The Department as a consequence of undertaking this contract the Contractor shall: (a) 26.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 26.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 26.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 26.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 26.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 26.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause26; (i) ensure 26.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 26.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] two Working Days) Days if it receives: (a) 26.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or; (b) 26.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 26.2.8.3 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 26.2.8.4 providing the Department with full details of the complaint or request; 26.2.8.5 Assisting or complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 26.2.9 Where the department receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation the Contractor shall assist the Department by: 26.2.9.1 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 26.2.9.2 providing the Department with any information requested by the Department; 26.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 26.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 26.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 26.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 26.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 26.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 26.2.13 The provision Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: 26.2.13.1 incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and 26.2.13.2 procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 26.3 Insofar as the contractor processes personal data for its own administrative purposes, whilst undertaking this Clause 17.1 contract the Contractor must: 26.3.1 comply at all times with the Data Protection Legislation and shall apply during not perform its obligations under this Contract in such a way as to cause the Contract Period and indefinitely after Department to breach any of its expiryapplicable obligations under the Data Protection Legislation.

Data Protection Act. 17.1 E.1.1 For the purposes of this Clause 17.1E.1, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 E.1.2 The Contractor shall (and shall ensure that all of its it’s entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 E.1.3 Notwithstanding the general obligation in clause 17.2E.1.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Client the Contractor shall: (a) Process the Personnel Data only in accordance with instructions from the Authority Client (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified by the Contracting Authority; (b) comply with all applicable laws; (c) Process the Personal Data only to the extent; and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents who may have access to the Personal Data; (f) obtain prior written consent from the Contracting Authority in order to transfer the Personal Data to any sub- sub-contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the AuthorityClient; (h) ensure that all staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1E.1; (i) ensure that none of the staff and agents publish disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority Client (j) not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority Client or in compliance with a legal obligation imposed upon the AuthorityClient; and 17.4 E.1.4 notify the Authority Client (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the AuthorityClient’s obligations under the DPA; 17.5 E.1.5 The provision of this Clause 17.1 E.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 For With respect to the purposes of parties’ rights and obligations under this Clause 17.1Contract, the terms “parties agree that SDNPA is the Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” Controller and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal the Data (as defined by the DPA) as a Data Processor for the Authority the Processor. 17.1.1 The Contractor shall: (a) Process 17.1.1.1 process the Personnel Personal Data only in accordance with instructions from the Authority SDNPA (which may be specific instructions or instructions of a general nature) as set out in this Contract nature or as otherwise notified by SDNPA to the AuthorityContractor during the term of this Contract); (b) comply with all applicable laws; (c) Process 17.1.1.2 process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Bodyregulatory body; (d) 17.1.1.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) 17.1.1.4 take reasonable steps to ensure the reliability of its staff and agents any Staff who may have access to the Personal Data; (f) 17.1.1.5 obtain prior written consent from the Authority SDNPA in order to transfer the Personal Data to any sub- contractor Sub-Contractors or affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) 17.1.1.6 ensure that all staff and agents Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.117; (i) 17.1.1.7 ensure that none of the staff and agents publish Staff do not publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; andSDNPA; 17.4 17.1.1.8 notify the Authority SDNPA (within [five] five (5) Working Days) ), if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the AuthoritySDNPA’s obligations under the DPAData Protection Legislation; 17.1.1.9 provide SDNPA with full co-operation and assistance in relation to any complaint or request made, including by: (a) providing SDNPA with full details of the complaint or request; (b) complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the SDNPA’s instructions; (c) providing SDNPA with any Personal Data it holds in relation to a Data Subject (within the timescales required by SDNPA) and (d) providing SDNPA with any information requested by SDNPA; 17.1.1.10 permit the SDNPA or the SDNPA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by SDNPA to enable the SDNPA to verify and /or procure that the Contractor is in full compliance with its obligations under this Contract; 17.1.1.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by SDNPA); and 17.1.1.12 not Process Personal Data outside the European Economic Area without the prior written consent of SDNPA and, where SDNPA consents to a transfer, to comply with: (a) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and (b) any reasonable instructions notified to it by SDNPA. 17.2 The Contractor shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this agreement in such a way as to cause SDNPA to breach any of its applicable obligations under the Data Protection Requirements. 17.3 The Contractor shall be liable for and shall indemnify (and keep indemnified) the SDNPA against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by SDNPA which arise directly from a breach by the Contractor of its obligations under the Data Protection Requirements, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Contractor or its employees, servants, agents or Sub-Contractors. 17.4 The Parties acknowledge that the General Data Protection Regulations (GDPR) comes into effect during the term of the Contract on 25 May 2018. 17.5 The provision of this Clause 17.1 Parties agree that prior to 25 May 2018 they shall apply during update the data protection clauses in the Contract Period to ensure compliance with the GDPR. The variation shall be agreed in writing by the parties in accordance with clause [insert number of Variation Clause in the standard terms and indefinitely after its expiryconditions]. 17.6 If the Parties have not agreed a variation to the Contract to ensure compliance with the GDPR by 25 May 2018 SDNPA shall be entitled to terminate the Contract immediately by notice in writing.

Data Protection Act. 17.1 14.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.114, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 14.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 14.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 14.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law or any Regulatory Body; (d) implement 14.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 14.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 14.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 14.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1clause14; (i) ensure 14.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 14.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) : - a request from a Data Subject to have access to that person’s 's Personal Data; or (b) or - a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 14.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: - providing the Department with full details of the complaint or request; - complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; - providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and - providing the Department with any information requested by the Department; 14.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 14.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 14.2.12 Not process Personal Data outside the European Economic Area without the prior written consent of the Department and, where the Department consents to a transfer, to comply with: - the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and - any reasonable instructions notified to it by the Department. 14.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.