Common use of Data Protection Compliance Clause in Contracts

Data Protection Compliance. 16.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with Applicable Data Protection Laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by Applicable Laws to do otherwise. Where the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interest. 16.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. 16.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions. 16.4 Both Parties shall comply at all times with Applicable Data Protection Laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under Applicable Data Protection Laws. 16.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable Data Protection Laws in all respects including, but not limited to, its collection, holding, and processing. 16.6 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with Applicable Data Protection Laws and any best practice guidance issued by the ICO. 16.7 The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under Applicable Data Protection Laws with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulator. 16.8 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: 16.8.1 be permitted to transfer the Personal Data outside the United Kingdom (“UK”) provided that the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Data Controller shall promptly comply with any reasonable request of the Data Processor, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer); 16.8.2 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures; 16.8.3 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR; 16.8.5 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with Applicable Data Protection Laws; 16.8.6 on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of Applicable Data Protection Laws; and 16.8.7 inform the Data Controller immediately if it is asked to do anything that infringes Applicable Data Protection Laws.

Data Protection Compliance. 16.1 4.1 All instructions given by the Data Controller to the nominated Users and employees of the Data Processor shall be made in writing and shall at all times be in compliance with Applicable the Data Protection Laws▇▇▇ ▇▇▇▇ and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by Applicable Laws law to do otherwise. Where the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interest. 16.2 4.2 The nominated Users and employees of the Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor them to amend, transfer, delete, or otherwise dispose of the Personal Data. 16.3 4.3 The nominated Users and employees of the Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions. 16.4 4.4 Both Parties shall comply at all times with Applicable Data Protection Laws the DATA PROTECTION ▇▇▇ ▇▇▇▇ and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under Applicable Data Protection Lawsthe DATA PROTECTION ▇▇▇ ▇▇▇▇. 16.5 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable Data Protection Laws the DATA PROTECTION ▇▇▇ ▇▇▇▇ in all respects including, but not limited to, its collection, holding, and processing. 16.6 4.6 The nominated Users and employees of the Data Processor agrees agree to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with Applicable Data Protection Laws any and all applicable legislation from time to time in force (including, but not limited to, the DATA PROTECTION ACT 2018) and any best practice guidance issued by the ICO. 16.7 4.7 The nominated Users and employees of the Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under Applicable Data Protection Laws the DATA PROTECTION ACT 2018 with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulatorICO. 16.8 4.8 When processing the Personal Data on behalf of the Data Controller, the nominated Users and employees of the Data Processor shall: 16.8.1 be permitted to transfer 4.8.1 not process the Personal Data outside the United Kingdom (“UK”) provided that without the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, prior written consent of the Data Controller shall promptly and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the DATA PROTECTION ACT 2018 by providing an adequate level of protection to any reasonable request Personal Data that is transferred; 4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Data ProcessorController and, including any request to enter into standard data protection clauses adopted by in the EU Commission from time to time (where event of such consent, the EU GDPR applies Personal Data shall be transferred strictly subject to the transfer) or adopted by terms of a suitable agreement, as set out in Clause 10; 4.8.3 process the UK Information Commissioner from time to time (where the UK GDPR applies Personal Data only to the transfer);extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law. 16.8.2 4.8.4 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures;. 16.8.3 4.8.5 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 4.8.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPRDATA PROTECTION ▇▇▇ ▇▇▇▇; 16.8.5 4.8.7 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the nominated Users and employees of the Data Processor’s compliance with Applicable Data Protection Lawsthe DATA PROTECTION ▇▇▇ ▇▇▇▇; 16.8.6 on reasonable prior 4.8.8 with notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of Applicable the DATA PROTECTION ▇▇▇ ▇▇▇▇. The requirement to give notice will not apply if the Data Protection LawsController believes that the nominated Users and employees of the Data Processor are in breach of any of obligations under this Agreement or under the law; and 16.8.7 4.8.9 inform the Data Controller immediately if it is asked to do anything that infringes Applicable Data Protection Lawsthe DATA PROTECTION ▇▇▇ ▇▇▇▇ or any other applicable data protection legislation.

Data Protection Compliance. 16.1 1.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with Applicable Data Protection Lawsthe GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by Applicable Laws law to do otherwise. Where otherwise (as per Article 29 of the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interestGDPR). 16.2 1.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. 16.3 1.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at format chosen by the times, Data Processor and in compliance with the Data Controller’s written instructions. 16.4 1.4 Both Parties shall comply at all times with Applicable Data Protection Laws the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under Applicable Data Protection Lawsthe GDPR. 16.5 1.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable Data Protection Laws the GDPR in all respects including, but not limited to, its collection, holding, and processing. 16.6 The Data Processor agrees to comply with any reasonable measures required 1.6 All data sourced by the Data Controller for use in connection with the Service, prior to ensure that such data being provided to or accessed by the Data Processor for the performance of the Services under the Agreement, shall comply in all respects, including in terms of its obligations under this Agreement are satisfactorily performed in accordance collection, storage and processing (which shall include the Data Controller providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Applicable Data Protection Laws Laws; 1.7 If the Data Processor’s assistance is necessary and any best practice guidance issued by relevant, the ICO. 16.7 The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under Applicable Data Protection Laws the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulatorICO. 16.8 1.8 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: 16.8.1 be permitted to transfer 8.a.1 process the Personal Data outside only to the United Kingdom extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (“UK”) provided that in which case, the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, inform the Data Controller shall promptly comply with any reasonable request of the legal requirement in question before processing the Personal Data Processor, including any request to enter into standard data protection clauses adopted for that purpose unless prohibited from doing so by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transferlaw); 16.8.2 8.a.2 implement appropriate technical and organisational measures, as described in Schedule 3, measures and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures;. 16.8.3 8.a.3 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR; 16.8.5 8.a.4 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with Applicable Data Protection Lawsthe GDPR; 16.8.6 on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of Applicable Data Protection Laws; and 16.8.7 8.a.5 inform the Data Controller immediately if it is asked to do anything that infringes Applicable Data Protection Lawsthe GDPR or any other applicable data protection legislation.

Data Protection Compliance. 16.1 4.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with Applicable Data Protection Laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by Applicable Laws to do otherwise. Where the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interest. 16.2 4.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. 16.3 4.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions. 16.4 4.4 Both Parties shall comply at all times with Applicable Data Protection Laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under Applicable Data Protection Laws. 16.5 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable Data Protection Laws in all respects including, but not limited to, its collection, holding, and processing. 16.6 4.6 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with Applicable Data Protection Laws and any best practice guidance issued by the ICO. 16.7 4.7 The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under Applicable Data Protection Laws with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulator. 16.8 4.8 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: 16.8.1 4.8.1 be permitted to transfer the Personal Data outside the United Kingdom (“UK”) provided that the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Data Controller shall promptly comply with any reasonable request of the Data Processor, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer); 16.8.2 4.8.2 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures; 16.8.3 4.8.3 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 4.8.4 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the UK GDPR; 16.8.5 4.8.5 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with Applicable Data Protection Laws; 16.8.6 4.8.6 on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of Applicable Data Protection Laws; and 16.8.7 4.8.7 inform the Data Controller immediately if it is asked to do anything that infringes Applicable Data Protection Laws.

Data Protection Compliance. 16.1 4.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with Applicable the Data Protection LawsLegislation. The Data Processor shall act only on such lawful and reasonable written instructions from the Data Controller unless the Data Processor is required by Applicable Laws law to do otherwise. Where otherwise (as per Article 29 of the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interestUK GDPR). 16.2 4.2 The Data Processor shall promptly comply with any reasonable request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. 16.3 4.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with with, the Data Controller’s written instructions. 16.4 4.4 Both Parties shall comply at all times with Applicable the Data Protection Laws Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves them in such way as to cause either Party to breach any of its applicable obligations under Applicable the Data Protection LawsLegislation. 16.5 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable the Data Protection Laws Legislation in all respects including, but not limited to, its collection, holding, and processing, and that the Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Processor. 16.6 4.6 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement these terms are satisfactorily performed in accordance with Applicable the Data Protection Laws Legislation and any best practice guidance issued by the ICOCommissioner. 16.7 4.7 The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under Applicable the Data Protection Laws Legislation with respect to the security of processing, the notification of personal data breachesPersonal Data Breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulatorCommissioner. What is reasonable, for the purposes of this sub-Clause 4.7 shall take account of the nature of the Processor’s processing and the information available to the Processor. 16.8 4.8 The Processor shall notify the Controller in a timely manner of any changes to the Data Protection Legislation that may adversely affect its performance of the Services or of its obligations under these terms. 4.9 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: 16.8.1 be permitted to 4.9.1 not transfer the Personal Data outside the United Kingdom without the prior written consent of the Controller; 4.9.2 not transfer any of the Personal Data to any third party without the written consent of the Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 11; 4.9.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (“UK”) provided that in which case, the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, inform the Data Controller shall promptly comply with any reasonable request of the legal requirement in question before processing the Personal Data Processor, including any request to enter into standard data protection clauses adopted for that purpose unless prohibited from doing so by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transferlaw); 16.8.2 4.9.4 implement appropriate technical and organisational measures, as including those described in Schedule 3Annex 2, and take all steps necessary to protect the Personal Data against unauthorised accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against its accidental or unlawful loss, destruction, damage, alteration, disclosure, or disclosuredamage. The Data Processor shall inform the Data Controller in advance of any changes to such measures; 16.8.3 4.9.5 implement measures to ensure a level of security proportionate to the risks involved including, as appropriate: a) the pseudonymisation and encryption of Personal Data; b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; c) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; 4.9.6 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 4.9.7 keep detailed complete and accurate records of and information concerning all processing activities carried out on the Personal Data in accordance order to demonstrate its compliance with these terms and the requirements of Article 30(2) of the UK GDPRData Protection Legislation; 16.8.5 4.9.8 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with Applicable the Data Protection LawsLegislation; 16.8.6 4.9.9 on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement these terms and both Parties’ compliance with the requirements of Applicable the Data Protection LawsLegislation. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under these terms or under the law; and 16.8.7 4.9.10 inform the Data Controller immediately if it is asked to do anything that infringes Applicable the Data Protection LawsLegislation.

Data Protection Compliance. 16.1 4.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with Applicable the Data Protection LawsLegislation. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by Applicable Laws law to do otherwise. Where otherwise (as per Article 29 of the Data Processor is relying on Applicable Laws as the basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of this before performing the processing required by Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller on important grounds of public interestUK GDPR). 16.2 4.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. 16.3 4.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with with, the Data Controller’s written instructions. 16.4 4.4 Both Parties shall comply at all times with Applicable the Data Protection Laws Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves them in such way as to cause either Party to breach any of its applicable obligations under Applicable the Data Protection LawsLegislation. 16.5 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with Applicable the Data Protection Laws Legislation in all respects including, but not limited to, its collection, holding, and processing, and that the Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Processor. 16.6 4.6 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with Applicable the Data Protection Laws Legislation and any best practice guidance issued by the ICOCommissioner. 16.7 4.7 The Data Processor shall provide all reasonable assistance (assistance, at the Data Controller’s cost) , to the Data Controller in complying with its obligations under Applicable the Data Protection Laws Legislation with respect to the security of processing, the notification of personal data breachesPersonal Data Breaches, the conduct of data protection impact assessments, and in dealings with the ICO or other relevant supervisory authority or regulatorCommissioner. What is reasonable, for the purposes of this sub-Clause shall take account of the nature of the Processor’s processing and the information available to the Processor. 16.8 4.8 The Processor shall notify the Controller in a timely manner of any changes to the Data Protection Legislation that may adversely affect its performance of the Services or of its obligations under this Agreement. 4.9 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: 16.8.1 be permitted to a) not transfer the Personal Data outside the United Kingdom without the prior written consent of the Controller; b) not transfer any of the Personal Data to any third party without the written consent of the Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 11; c) process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (“UK”) provided that in which case, the Data Processor shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, inform the Data Controller shall promptly comply with any reasonable request of the legal requirement in question before processing the Personal Data Processor, including any request to enter into standard data protection clauses adopted for that purpose unless prohibited from doing so by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transferlaw); 16.8.2 d) implement appropriate technical and organisational measures, as including those described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against its accidental or unlawful loss, destruction, damage, alteration, disclosure, or disclosuredamage. The Data Processor shall inform the Data Controller in advance of any changes to such measures; 16.8.3 e) implement measures to ensure a level of security proportionate to the risks involved including, as appropriate: i) the pseudonymisation and encryption of Personal Data; ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; iii) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; f) if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 16.8.4 g) keep detailed complete and accurate records of and information concerning all processing activities carried out on the Personal Data in accordance order to demonstrate its compliance with this Agreement and the requirements of Article 30(2) of the UK GDPRData Protection Legislation; 16.8.5 h) make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with Applicable the Data Protection LawsLegislation; 16.8.6 i) on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of Applicable the Data Protection LawsLegislation. The requirement to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this Agreement or under the law; and 16.8.7 j) inform the Data Controller immediately if it is asked to do anything that infringes Applicable the Data Protection LawsLegislation.