Common use of Data Protection Law Clause in Contracts

Data Protection Law. 27.1 The Parties acknowledge that for the purposes of the Data Protection Law, the Council is the Controller and the Provider is the Processor. The only processing that the Provider is authorised to do is listed in Annex 9 by the Council and may not be determined by the Provider. 27.2 The Provider shall notify the Council immediately if it considers that any of the Council’s instructions infringe the Data Protection Law. 27.3 The Provider shall provide all reasonable assistance to the Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Council, include: a) a systematic description of the envisaged processing operations and the purpose of the processing; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; c) an assessment of the risks to the rights and freedoms of Data Subjects; and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 27.4 The Provider shall, in relation to any Personal Data processed in connection with its obligations under this Contract: (a) process that Personal Data only in accordance with Annex 9, unless the Provider is required to do otherwise by Law. If it is so required the Provider shall promptly notify the Council before processing the Personal Data unless prohibited by Law; (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event having taken account of the: i. nature of the data to be protected; ii. harm that might result from a Data Loss Event; iii. state of technological development; and iv. cost of implementing any measures; (c) ensure that : I. the Provider Representatives do not process Personal Data except in accordance with this Contract (and in particular Annex 9); II. it takes all reasonable steps to ensure the reliability and integrity of any Provider Representatives who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Provider’s duties under this clause; (B)are subject to appropriate confidentiality undertakings with the Provider or any Sub-processor;

Data Protection Law. 27.1 30.1 The Parties acknowledge that for the purposes of the Data Protection Law, the Council is the Controller and the Provider is the Processor. The only processing that the Provider is authorised to do is listed in Annex 9 by the Council and may not be determined by the Provider. 27.2 30.2 The Provider shall notify the Council immediately if it considers that any of the Council’s instructions infringe the Data Protection Law. 27.3 30.3 The Provider shall provide all reasonable assistance to the Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Council, include: a) a systematic description of the envisaged processing operations and the purpose of the processing; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; c) an assessment of the risks to the rights and freedoms of Data Subjects; and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 27.4 30.4 The Provider shall, in relation to any Personal Data processed in connection with its obligations under this Contract: (a) process that Personal Data only in accordance with Annex 9, unless the Provider is required to do otherwise by Law. If it is so required the Provider shall promptly notify the Council before processing the Personal Data unless prohibited by Law; (b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event having taken account of the: i. nature of the data to be protected; ii. harm that might result from a Data Loss Event; iii. state of technological development; and iv. cost of implementing any measures; (c) ensure that : I. the Provider Representatives do not process Personal Data except in accordance with this Contract (and in particular Annex 9); II. it takes all reasonable steps to ensure the reliability and integrity of any Provider Representatives who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Provider’s duties under this clausecondition; (B)are subject to appropriate confidentiality undertakings with the Provider or any Sub-processor;