Data Protection and Data Processing and Security. 11.1. The Parties acknowledge that for the purposes of the Agreement, the Client is the Data Controller, and the Supplier is the Data Processor in respect of any Personal Data. 11.2. The Parties shall at all times comply with all applicable Data Protection Legislation in force from time to time including the DPA, to the extent that it applies, the General Data Protection Regulations (Regulation (EU) 2016/679) (the “GDPR”), and all related guidance and codes of practice issued by applicable supervisory authorities and any equivalent legislation amending or replacing the GDPR or the DPA. 11.3. Each Party warrants that they: 11.3.1. shall not by any act or omission put the other party in breach of the Data Protection Legislation; 11.3.2. shall not transfer or process any Personal Data to any other Party or outside of the European Economic Area without the other Party’s express written consent and, where consent is given, shall only undertake such transfer or processing in accordance with the other Party’s’ instructions; 11.3.3. shall keep all Personal Data confidential and provide appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction or damage and it shall only deal with the Personal Data for the purposes, and in accordance with its obligations, set out in this Agreement; 11.3.4. shall take all reasonable steps to ensure the reliability of any of its personnel who have access to Personal Data processed in connection with this Agreement; 11.3.5. shall provide such information and, on reasonable prior notice, allow for and contribute to audits, including inspections by an auditor mandated by any regulatory authority as is necessary to ensure compliance with the Data Protection Legislation; 11.3.6. shall not use any sub-contractors to process Personal Data, unless the other Party has issued its prior written consent and the Supplier shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this Clause 11; and 11.3.7. shall on termination of this Agreement, and at any time on the other Party’s request, immediately either return the Personal Data in the format requested or destroy the Personal Data (including all copies of it) and confirm in writing that it has complied with this Clause 11.6.7. 11.4. Each Party shall notify the other promptly if it receives: 11. 4.1. a request from a Data Subject; or
Appears in 1 contract
Data Protection and Data Processing and Security.
11.1. The Parties acknowledge that for the purposes of the Agreement, the Client is the Data Controller, and the Supplier is the Data Processor in respect of any Personal Data.
11.2. The Parties shall at all times comply with all applicable Data Protection Legislation in force from time to time including the DPA, to the extent that it applies, the General Data Protection Regulations (Regulation (EU) 2016/679) (the “GDPR”), and all related guidance and codes of practice issued by applicable supervisory authorities and any equivalent legislation amending or replacing the GDPR or the DPA.
11.3. Each Party warrants that they:
11.3.1. shall not by any act or omission put the other party in breach of the Data Protection Legislation;
11.3.2. shall not transfer or process any Personal Data to any other Party or outside of the European Economic Area without the other Party’s express written consent and, where consent is given, shall only undertake such transfer or processing in accordance with the other Party’s’ instructions;
11.3.3. shall keep all Personal Data confidential and provide appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction or damage and it shall only deal with the Personal Data for the purposes, and in accordance with its obligations, set out in this Agreement;
11.3.4. shall take all reasonable steps to ensure the reliability of any of its personnel who have access to Personal Data processed in connection with this Agreement;
11.3.5. shall provide such information and, on reasonable prior notice, allow for and contribute to audits, including inspections by an auditor mandated by any regulatory authority as is necessary to ensure compliance with the Data Protection Legislation;
11.3.6. shall not use any sub-contractors to process Personal Data, unless the other Party has issued its prior written consent and the Supplier shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this Clause 11; and
11.3.7. shall on termination of this Agreement, and at any time on the other Party’s request, immediately either return the Personal Data in the format requested or destroy the Personal Data (including all copies of it) and confirm in writing that it has complied with this Clause 11.6.711.3.7.
11.4. Each Party shall notify the other promptly if it receives: 11.:
4.111.4.1. a request from a Data Subject; or
11.4.2. a complaint or request relating to the rights of a Data Subject under the Data Protection Legislation; or
11.4.3. any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, each Party shall promptly provide its full co-operation and assistance as is reasonably required in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation.
11.5. Each Party shall:
11.5.1. notify the other Party promptly upon becoming aware of a Personal Data Breach; and
11.5.2. following notification, provide such information and assistance as is reasonably required in order for the other Party to notify the Personal Data Breach to the Information Commissioner and/or any Data Subjects, in accordance with the DPA or GDPR.
11.6. The Data Processor shall process the Personal Data only in accordance with the Data Controller’s instructions and shall not process the Personal Data for any purpose other than those expressly authorised by the Data Controller and to the extent necessary to provide the Services and in accordance with this Agreement.
11.7. The Data Processor shall take reasonable steps to ensure the reliability of all its employees who have access to Personal Data.
11.8. The Data Processor shall:
11.8.1. take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure an appropriate level of security; and
11.8.2. reduce the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage.
11.9. The Supplier shall implement the data protection and security measures set out in Schedule 3.
11.10. Each Party agrees to indemnify and keep indemnified and defend at its own expense the other Party against all direct costs, claims, damages or expenses incurred by the breaching Party or for which the non-breaching Party may become liable due to any failure by the breaching Party or its employees or agents to comply with any of its obligations under this Agreement.
11.11. The Data Controller acknowledges that the Data Processor is reliant on the Data Controller for direction as to the extent to which the Data Processor is entitled to use and process the Personal Data. Consequently, the Data Processor shall not be liable for any claim brought by a Data Subject or any regulator arising from any action or omission by the Data Processor, to the extent that such action or omission resulted directly from the Data Controller’s instructions.
11.12. The Data Processor may authorise a subcontractor to process the Personal Data provided that the subcontractor’s contract is on terms which are substantially the same as those set out in this Agreement with the prior approval of the Data Controller.
Appears in 1 contract
Data Protection and Data Processing and Security.
11.1. The Parties parties acknowledge that for the purposes of the Agreement, Agreement the Client is the Data Controller, Controller and the Supplier is the Data Processor in respect of any Personal Data.
11.2. The Parties parties shall at all times comply with all applicable Data Protection Legislation data protection legislation in force from time to time including the Data Protection Act 2018 (the “DPA”), to the extent that it applies, the General Data Protection Regulations (Regulation (EU) 2016/679) (the “GDPR”), and all related guidance and codes of practice issued by applicable supervisory authorities and any equivalent legislation amending or replacing the GDPR or the DPA.
11.3. Each Party party warrants that they:
11.3.1. shall not by any act or omission put the other party in breach of the Data Protection Legislation;
11.3.2. shall not transfer or process any Personal Data to any other Party party or outside of the European Economic Area without the other Partyparty’s express written consent and, where consent is given, shall only undertake such transfer or processing in accordance with the other Partyparty’s’ instructions;
11.3.3. shall keep all Personal Data confidential and provide appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction or damage and it shall only deal with the Personal Data for the purposes, and in accordance with its obligations, set out in this Agreement;
11.3.4. shall take all reasonable steps to ensure the reliability of any of its personnel staff who have access to Personal Data processed in connection with this Agreement;
11.3.5. shall provide such information and, on reasonable prior notice, allow for and contribute to audits, including inspections by an auditor mandated by any regulatory authority as is necessary to ensure compliance with the Data Protection Legislation;
11.3.6. shall not use any sub-contractors to process Personal Data, unless the other Party party has issued its prior written consent and the Supplier shall ensure that sub-contracts entered into with approved sub-contractors shall include provisions equivalent to those in this Clause 11; and
11.3.7. shall on termination of this Agreement, and at any time on the other Partyparty’s request, immediately either return the Personal Data in the format requested or destroy the Personal Data (including all copies of it) and confirm in writing that it has complied with this Clause 11.6.7obligation.
11.4. Each Party party shall notify the other promptly if it receives: 11.:
4.111.4.1. a request from a Data SubjectSubject (as defined in the DPA, and, with effect from 28 May 2018, the GDPR, or any amendment or replacement of the same) to have access to that person’s Personal Data; or
11.4.2. a complaint or request relating to the rights of a Data Subject under the Data Protection Legislation; or
11.4.3. any other communication relating directly or indirectly to the processing of any Personal Data in connection with this Agreement; and in each case, each party shall promptly provide its full co-operation and assistance as is reasonably required in order to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation.
11.5. Each party shall:
11.5.1. notify the other party immediately upon becoming aware of a Personal Data Breach (as defined in the GDPR or any amendment or replacement of the same); and
11.5.2. following notification, provide such information and assistance as is reasonably required in order for the other party to notify the Personal Data Breach to the Information Commissioner and/or any Data Subjects, in accordance with the DPA or GDPR.
11.6. The Supplier shall process the Personal Data only in accordance with the Data Controllers instructions from time to time and shall not process the Personal Data for any purpose other than those expressly authorised by the Data Controller under this Agreement.
11.7. The Supplier shall take reasonable steps to ensure the reliability of all its employees who have access to Personal Data.
11.8. The Supplier warrants that it will:
(i) take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure an appropriate level of security:
(ii) reduce the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(iii) implement the additional data protection and security measures set out in Schedule 3.
Appears in 1 contract