Data Protection Audit Clause Samples

Data Protection Audit a) During the term of this Data Processing Agreement the User and/or a reputable independent third- party auditor the User designates will have the right to examine the Service Provider and its subprocessors’ facilities, moreover to verify whether or not the Service Provider operates its data protection system in compliance with the provisions set out in this Data Processing Agreement, if it is suspected that the Processor fails to comply with any provision in this agreement. b) Notwithstanding the above, this audit may not extend to the examination of data belonging to the Service Provider’s clients, furthermore will not grant access to information related to the Service Provider’s security systems/measures. The Processor must be notified about audits initiated by the User at least 30 days in advance. The notification shall reason the necessity of the audit and shall describe its envisaged scope. Audits may not trigger the unreasonable interruption of the Processor’s workflows, and may not exceed a duration of 30 days, which may be extended once in justified cases. Auditing may not involve (i) direct access to the qualified trust service provider’s IT systems and premises, (ii) disturbing the Processor’s employees and causing significant extra work for them. To avoid any misunderstanding, the Parties confirm that the User will bear the costs related to data protection audits.

Data Protection Audit. 1.5.1 The Service Provider shall produce and maintain a Data Protection audit plan to be agreed by TTL, which shall include: a) timescales for preparation and conduct of the annual Data Protection audit; b) the Data Protection audit strategy and planned outputs; c) details of the independent Third Party undertaking the Data Protection audit; d) the Service Provider Personnel responsible for fulfilment of the Data Protection audit plan; and e) the Service Provider Personnel responsible for the management of the independent Third Party undertaking the Data Protection audit. 1.5.2 The Service Provider shall implement a comprehensive Data Protection audit, to be undertaken by an independent Third Party approved by TTL, covering all Data Processing undertaken by the Service Provider. The Data Protection audit will be completed at no cost to TTL. 1.5.3 The Service Provider shall conduct the Data Protection audit annually (or at a frequency agreed with TTL) and report the findings to TTL. 1.5.4 The Service Provider shall act on the findings from any Data Protection audits to ensure (within timescales agreed by TTL) that the Service Provider's Processing, storage, disclosure and destruction of Personal Data are conducted in accordance with: a) the Data Protection Legislation; b) the provisions of Clause 50 (Information Compliance); c) Schedule 15 (Information Compliance); and d) Schedule 5 (Service Level Agreement).

Data Protection Audit. 6.1. Upon prior written request by Data Controller, Data Processor agrees to cooperate and within reasonable time provide to Data Controller with: (a) a summary of the audit reports demonstrating Data Processor’s compliance with its obligations under this Agreement, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability. 6.2. If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, Data Processor allows Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller. Data Processor will make available to Data Controller the result of the audit of its data protection compliance program. Data Controller shall bear the cost of such audit and must fully reimburse Data Processor for all expenses and costs related to such audit.

Data Protection Audit. Upon prior written request by Merchant, ▇▇▇▇▇▇▇▇.▇▇▇ agrees to cooperate and within reasonable time provide Merchant with: (a) a summary of the audit reports demonstrating ▇▇▇▇▇▇▇▇.▇▇▇’s compliance with EU Data Protection obligations under this Agreement, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in ▇▇▇▇▇▇▇▇.▇▇▇’s systems, or to the extent that any such vulnerability was detected, that ▇▇▇▇▇▇▇▇.▇▇▇ has fully remedied such vulnerability. If the above measures are not sufficient to confirm compliance with EU Data Protection law or reveal some material issues, subject to the strictest confidentiality obligations, ▇▇▇▇▇▇▇▇.▇▇▇ allows Merchant to request an audit of ▇▇▇▇▇▇▇▇.▇▇▇’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The external independent auditor cannot be a competitor of ▇▇▇▇▇▇▇▇.▇▇▇, and the Parties will mutually agree upon the scope, timing, and duration of the audit. ▇▇▇▇▇▇▇▇.▇▇▇ will make available to Merchant the result of the audit of its data protection compliance program.

Data Protection Audit. 7.1. Customer, acting by itself or through its appointed representative (acting pursuant to an NDA approved by Drift), shall have the right during the term of the Agreement and for as long thereafter as Drift processes Personal Data regarding which Customer is a Controller, to assess compliance by Drift with the applicable requirements of the EU Data Protection Law and/or this Addendum, and to review the technical and organizational measures taken by Drift against the unauthorized or unlawful processing of Personal Data and against the unauthorized access to, accidental loss or destruction of, or damage to, Personal Data, on at least thirty (30) days’ advance notice to Drift. Before the commencement of any audit, Customer and Drift shall mutually agree upon the scope, timing, and duration of the audit, and Customer shall take all reasonable measures to limit any adverse impact thereof on Drift. 7.2. To the extent permitted by applicable law, Customer shall bear the costs and expenses incurred in respect of the parties’ compliance with their obligations under this clause, unless the audit identifies that the Drift is not in compliance with the applicable requirements of the EU Data Protection Law and/or this Addendum, in which case Drift shall reimburse Customer for all reasonable costs and expenses incurred by Customer and Drift in connection with the audit.