Appears in 4 contracts

Sources: Human Material Transfer Agreement for Non Academic Use, Human Material Transfer Agreement, Human Material Transfer Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇▇ons under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 3 contracts

Sources: Administration Agreement (Granite Mortgages 03-3 PLC), Administration Agreement (Granite Mortgages 03-1 PLC), Administration Agreement (Granite Mortgages 03-2 PLC)

Data Protection. ~~The parties acknowledge~~ 22.1 Each Consortium Member shall ensure that ~~personal data may be transferred~~ at all times it complies with its obligations under this ~~agreement~~ Agreement in manner so as to comply with the DPA and all relevant regulations relating to data protection. 22.2 Each Consortium Member warrants and represents that it has obtained all necessary registrations, notifications and consents required by the DPA to Process Personal Data for the purposes of performing its obligations under this Agreement. 22.3 Each Consortium Member undertakes that to the extent that it and/or any of its employees receives, has access to and/or is required to Process Personal Data on behalf of the GLA (“the GLA's Personal Data”) for the purpose of performing its obligations under this Agreement it will at all times act as if it were a Data Controller and ~~each party will fully~~ comply with ~~its respective obligations under~~ the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state provisions of the ~~art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ DPA for the ~~rights~~ time being in force. 22.4 Each Consortium Member shall at all material times have in place and ~~freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the GLA's Personal Data and any person it authorises to have access to any the GLA's Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the GLA's Personal Data. 22.5 Each Consortium Member shall allow the GLA to audit its compliance with the requirements of this Condition 22 on reasonable notice and/or, at the ~~Privacy Laws. Recipient agrees~~ GLA's request, provide the GLA with evidence of its compliance with the obligations within this Condition 22. 22.6 Each Consortium Member undertakes not to ~~notify Provider within a period of 48 hours where Recipient becomes aware of~~ disclose or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise transfer any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any GLA's Personal Data to ~~a territory outside~~ any third party without the prior written consent of the ~~European Economic Area ("EEA") unless it has taken~~ GLA save that without prejudice to Condition 22.3 each Consortium Member shall be entitled to disclose the GLA's Personal Data to employees to whom such ~~measures~~ disclosure is reasonably necessary in order for that Consortium Member to perform its obligations under this Agreement, or to the extent required under a court order. 22.7 Each Consortium Member agrees to use all reasonable efforts to assist the GLA to comply with such obligations as are ~~necessary~~ imposed on the GLA by the DPA. 22.8 Each Consortium Member shall indemnify the GLA against all claims and proceedings and all liability, losses, costs and expenses incurred in connection therewith by the GLA as a result of the destruction, damage or loss of the GLA's Personal Data processed by its employees, agents, or any breach of or other failure to ~~ensure the transfer is in compliance~~ comply with the ~~Privacy Laws. Such measures may include transferring~~ obligations in the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved DPA and/or this Condition 22 by the ~~European Commission. Recipient will not make any effort~~ Consortium Member, its employees, agents or sub- contractors. 22.9 Each Consortium Member undertakes to ~~identify individuals who are or may be~~ include obligations no less onerous than those set out in this Condition 22, in all contractual arrangements with agents engaged by it in performing its obligations under this Agreement to the ~~donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~GLA.

Appears in 3 contracts

Sources: Consortium Grant Agreement, Consortium Grant Agreement, Approved Provider Consortium Grant Agreement

Data Protection. The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”)~~ SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CLIENT and ~~each party will fully comply with its respective~~ the SERVICE PROVIDER shall observe their obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~Requirements. ~~The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ Where the ~~state of~~ SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing Processing of Personal Data ~~will meet the requirements~~ on behalf of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ CLIENT, it shall: carry out the Processing of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been~~ only in accordance with instructions from the CLIENT (which may be specific instructions or ~~may have been lost, damaged~~ instructions of a general nature as set out in this Contract or ~~subject~~ as otherwise notified by the CLIENT to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ the ~~impact of any such Security Incident. In~~ SERVICE PROVIDER during the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasureTerm); ~~and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ carry out the processing of Personal Data ~~(collectively~~only to the extent, ~~"Correspondence")~~and in such manner, ~~it shall promptly inform Provider~~ as is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider~~against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. ~~Recipient~~ These measures shall ~~not~~ be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER personnel who have access to the Personal Data; obtain prior written consent from the CLIENT in order to transfer ~~any~~ the Personal Data to ~~a territory outside~~ any Sub-Contractors for the provision of the ~~European Economic Area ("EEA") unless it has taken such measures as~~ Ordered Services; ensure that any SERVICE PROVIDER personnel required to access the Personal Data are ~~necessary to ensure~~ informed of the ~~transfer is in compliance~~ confidential nature of the Personal Data and comply with the ~~Privacy Laws. Such measures may include transferring~~ obligations set out in this Clause 14; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to ~~a country that the European Commission has decided provides adequate protection for personal data;~~ any third party unless directed in writing to ~~a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved~~ do so by the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be~~ CLIENT; notify the ~~donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~CLIENT (within five (5) Working Days) if it receives:

Appears in 3 contracts

Sources: Legal Services Framework Agreement, Legal Services Framework Agreement, Legal Services Framework Agreement

Data Protection. ~~The parties~~ 7.1 To the extent that Personal Data is processed using the Product, the Parties acknowledge that ~~personal data may be transferred under this agreement (“Personal Data”)~~ Bynder is a Data Processor and Customer is a Data Controller and each ~~party will fully~~ Party shall comply with ~~its~~ their respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artstatutory or regulatory data protection obligations. 7.2 Bynder, ~~the costs of implementation and the nature, scope, context and purposes of processing~~ as well as ~~the risk of varying likelihood~~ its subcontractors, licensors, and ~~severity for the rights~~ hosts, shall take sufficient and ~~freedoms of data subjects, Recipient will maintain~~ appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that~~ to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to Personal Data, having regard to the ~~requirements~~ state of technological development and cost of implementing any measures, to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage and the nature of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data to be protected. 7.3 Bynder shall process Personal Data in accordance with Customer’s instructions. Should Customer’s instructions contravene or appear likely to contravene legislation binding Bynder, Bynder will notify Customer and request alternative instructions not in contravention of such legislation. Bynder shall have no liability whatsoever for breaches of Data Protection Legislation that arise as a result of its following Customer’s instructions in implementing and supplying the Product. 7.4 Customer is fully responsible for its Customer Data and guarantees to Bynder that the content, use, and/or processing of the Customer Data are not unlawful and do not infringe the rights of any third party. 7.5 Customer shall ensure that all Personal Data that it supplies or discloses to Bynder has been obtained fairly and lawfully and that it will obtain all consents from Data Subjects and registrations with authorities that are required to permit Bynder to transfer Personal Data to third parties to fulfil its obligations under this Agreement. 7.6 Customer indemnifies Bynder against any claim of a third party, including Data Subjects, instituted for whatever reason in connection with its Customer Data or ~~may have been lost~~the performance of this Agreement. 7.7 If a third party alleges infringement of its data protection rights, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and~~ Bynder shall be entitled to take ~~reasonable steps~~ measures it deems necessary to ~~mitigate~~ prevent the ~~impact~~ infringement of ~~any such Security Incident. In~~ a third party’s rights from continuing. 7.8 Bynder shall have no liability whatsoever for the protection of Personal Data in the event that ~~Recipient receives (i) any request from~~ Customer uses a ~~data subject~~ Bynder Product to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to release such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to unauthorised persons, entities, or organisations. 7.9 Subject to applicable Data Protection Legislation, if a ~~territory outside~~ Data Subject submits a disclosure request to Customer to find out what of ~~the European Economic Area ("EEA")~~ their Personal Data Customer holds, and/or to obtain a copy of their Personal Data, Bynder shall inform Customer, unless ~~it has taken~~ prohibited by law, and will cooperate and invoice Customer on a time and material basis for any work conducted in fulfilling such ~~measures as are necessary~~ requests. Should Bynder be required by law to ~~ensure the transfer is in compliance with the Privacy Laws~~supply personal data to third parties, Subsection 4.6 shall apply. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.€

Appears in 3 contracts

Sources: Standard Terms of Service, Standard Terms of Service, Standard Terms of Service

Data Protection. 12.1 The ~~parties acknowledge~~ Company and the Customer agree that ~~personal data~~ for the purpose of Data Protection Legislation that the Customer shall be the Data Controller and the Company shall be the Data Processor in respect of any Personal Data which is transferred from the Customer to the Company under the terms of this Contract. 12.2 As a Data Processor the Company shall Process the Personal Data only to the extent necessary to perform its obligations pursuant to this Contract and/or in accordance with the Customer’s instructions from time to time, and shall not Process the Personal Data for any other purpose other than enabling it to fulfil its obligations pursuant to this Contract or to perform any other activity which may be ~~transferred under~~ authorised by the Customer from time to time. 12.3 Where a party is a Data Processor pursuant to this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Contract it shall take ~~reasonable~~ steps to ~~mitigate the impact of any such Security Incident. In the event~~ ensure that ~~Recipient receives (i) any request from a data subject to exercise any~~ its employees and agents are informed of its ~~rights under Privacy Laws~~ obligations in relation to Personal Data ~~(including~~ that it collects, transfers or holds, and its employees and agents shall Process such information in confidence and in accordance with all relevant Data Protection Legislation. 12.4 Each party warrants to the other that it will Process the other’s Personal Data in compliance with all applicable Data Protection Legislation. 12.5 Where a party to this Contract becomes a Data Processor pursuant to it, it warrants that in relation to the Personal Data in respect of which it is a Data Processor that: 12.5.1 having regard to the reasonably available state of the art of technological development, the nature of the Processing in question, the cost of implementation, and the material risk to the rights of ~~access~~affected Data Subjects, ~~correction~~the Data Processor will take appropriate technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful Processing and against the accidental loss or destruction; 12.5.2 it will assist the Data Controller, ~~objection and erasure); and (ii)~~ insofar as reasonably possible, in responding to any ~~other correspondence~~requests made by any relevant Data Subject which concern the exercise of that Data Subject’s rights under the GDPR, ~~inquiry or complaint received from a data subject~~subject to Data Controller reimbursing it for the cost of the same; 12.5.3 it will notify the Data Controller, ~~regulator or other third party in connection with~~ insofar as reasonably possible, of any relevant requests for the ~~processing~~ disclosure of Personal Data ~~(collectively~~which may be made to it and which it considers that it is legally obliged to respond to, ~~"Correspondence")~~subject to Data Controller reimbursing it for the cost of the same; 12.5.4 it will report to the Data Controller any actual data breach concerning Personal Data that relates to this Contract which comes to its attention and shall assist the Data Controller to inform the relevant regulator and affected Data Subjects, subject to Data Controller reimbursing it for the cost of the same; 12.5.5 it will, on request, take reasonable steps to demonstrate to the Data Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation, subject to Data Controller reimbursing it for the cost of the same; and 12.5.6 it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of hold all Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data~~ in confidence, subject to ~~a territory outside of~~ security measures no less rigorous than those which it uses to safeguard its own confidential information. 12.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; other party against all costs, claims, damages or ~~to a Recipient that has executed standard contractual clauses adopted or approved~~ expenses incurred by the ~~European Commission~~other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations pursuant this clause 12. ~~Recipient will~~ In order to avail itself of this indemnity the claiming party must: promptly notify the indemnifier of any relevant claim of which the indemnified party becomes aware; not make any ~~effort~~ admission of liability or offer to ~~identify individuals who are or may be~~ settle in respect of any relevant claim without the ~~donors~~ prior written permission of the ~~Original Material~~ indemnifier; grant the indemnifier full control of all relevant proceedings on request, and; provide the indemnifier with such assistance in dealing with such claims as it may reasonably request. 12.7 The parties acknowledge that to the extent that a party is a Data Processor pursuant to this Contract it will be reliant on the other, the Data Controller, for direction as to the extent to which the Data Controller will be entitled to use and ~~may~~ Process the relevant Personal Data. Consequently, the Data Processor will not ~~combine~~ be liable to the Data Controller for any loss or damage which arises from any claim brought by a Data Subject or any fine levied by any relevant regulatory authority which results from any action or omission by the Data Processor, to the extent that such action or omission resulted directly from the Data Controller’s instructions. 12.8 The Company confirms that it will treat all Personal Data which is transferred to it under the terms of ~~the Project~~ this Contract in line with ~~other data which may result in identification of a donor~~their Privacy Policy.

Appears in 3 contracts

Sources: Master Service Agreement, Master Service Agreement, Master Service Agreement

Data Protection. 8.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ terms defined in the EU General Data Protection Regulation 2016/679, (~~EU)2016/679 and applicable complementing national laws (jointly~~ the “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security IncidentGDPR”) and the Regulation on the protection of natural persons with regard to ~~take reasonable steps to mitigate~~ the ~~impact~~ processing of ~~any~~ personal data by the Union institutions, bodies, offices and agencies and on the free movement of such ~~Security Incident. In~~ data, Regulation 2018/1725 (the ~~event~~ “EU DPR”) have the same meaning when used in this clause. 8.2 The Parties acknowledge that ~~Recipient receives (i) any request from~~ each of them will act as independent controller and not as a processor on behalf of, or joint controller with, the other Party, when processing personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the Services, including data processing performed in compliance with their obligations at law. The Service Provider shall comply with the GDPR and all other applicable data protection and data privacy laws (the “Data Protection Laws”) in disclosing personal data to EIB or otherwise processing personal data in connection with the Agreement and any Contract. 8.3 Before disclosing any personal data (other than mere contact information relating to the Service Provider’s personnel involved in the management of ~~Personal Data~~ the Agreement and any Contract (~~collectively~~“Contact Data”)) to EIB in connection with the Agreement and any Contract, ~~"Correspondence"~~the Service Provider shall ensure that each data subject of such personal data: (a) has been informed of the disclosure to EIB (including the categories of personal data to be disclosed)~~, it~~ ; and (b) has been advised on the information contained in or has been provided with an appropriate link to EIB’s privacy statement in relation to its procurement and contract management activities as set out from time to time at <▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/en/privacy/procurement.htm> or such other address as the Bank may notify to the Service Provider in writing. 8.4 The Service Provider shall promptly inform EIB in writing, with full details, if it: (a) becomes aware of any personal data breach; or (b) receives any communication from: (i) a data subject seeking to exercise a right under, or alleging breach of, the GDPR or any other applicable data protection or data privacy law; or (ii) a supervisory authority or other competent data protection authority, in relation to personal data disclosed or to be disclosed by EIB to the Service Provider or by the Service Provider to EIB, or otherwise processed by the Service Provider in connection with the Agreement and any Contract. 8.5 The Service Provider shall give EIB such information, co-operation and assistance as EIB reasonably requests to enable it to address the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing legal or other consequences of ~~Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ that personal data breach or of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country subject matter of that ~~the European Commission has decided provides adequate protection~~ communication. 8.6 The Service Provider shall notify EIB without delay of any legally binding request for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors disclosure of the ~~Original Material and may not combine Data or results of the Project with other~~ personal data ~~which may result in identification of~~ transmitted to it by EIB made by any national public authority, including an authority from a ~~donor~~third country.

Appears in 3 contracts

Sources: Framework Agreement, Framework Agreement, Framework Agreement

Data Protection. 3.2.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ Parties’ attention is drawn to the ~~General~~ Data Protection ~~Regulation~~ Act 1998, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (~~EU)2016/679 and applicable complementing national laws (jointly~~ the “~~Privacy Laws~~Data Protection Requirements”). The ~~parties are independent controllers~~ End-User acknowledges that Royal Mail is the data controller in respect of ~~their processing operations performed with such Personal~~ any personal data in the Data. ~~Taking into account~~ Royal Mail and the ~~state~~ Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the ~~art~~Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under the Data Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that it shall: 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; 3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the personal data within the Data from data subjects, the ~~costs of implementation and~~ Information Commissioner or any other law enforcement authority, for Royal Mail to resolve; 3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, in relation to the ~~nature~~personal data within the Data, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for~~ with the rights ~~and freedoms~~ of data subjects, ~~Recipient will maintain appropriate technical and organizational measures in such a manner~~ including subject access rights, or with information notices served by the Information Commissioner; and 3.2.1.4 ensure that ~~processing~~ if, during the term of ~~Personal~~ this Licence Agreement, it intends to make any transfers of personal data within the Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ which are not European Commission Approved Transfers, then it shall, prior to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such ~~Security Incident. In~~ transfer, obtain Royal Mail’s consent and at the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~End-User’s own cost provide such further information and sign such further documents, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ agreements or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith deeds as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Royal Mail may require to ensure the ~~transfer is~~ adequate protection of the personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in ~~compliance with the Privacy Laws. Such measures may include transferring~~ the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Act 1998.

Appears in 3 contracts

Sources: Deal Sheet, Data License Agreement, Data Licence Agreement

Data Protection. ~~The parties acknowledge~~ 15.1 In so far that ~~personal data may be transferred~~ Shared Personal Data is Processed under this ~~agreement~~ Agreement it is understood that the parties will each act in the capacity of an independent Data Controller. 15.2 The Grant Recipient (~~“Personal Data”~~including its employees agents or officers) and each ~~party will fully~~ Delivery Partner shall at all times during the period of this Agreement comply with ~~its respective~~ the provisions and obligations imposed by this clause 15 (Data protection) and the Data Protection Legislation generally, including any requirement to obtain registrations, consents, and provide notifications and relevant privacy information to Data Subjects as required for the purposes of their obligations under ~~the General Data Protection Regulation (EU)2016/679~~ this Agreement. 15.3 The Grant Recipient warrants and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ represents that it and/or any of ~~their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation~~ its employees and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ each Delivery Partner each have in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Shared Personal Data ~~will meet~~ against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the ~~requirements~~ risk represented by the processing and the nature of the ~~Privacy Laws.~~ data to be protected. 15.4 The Grant Recipient ~~agrees to~~ shall notify ~~Provider within a period of 48 hours where Recipient becomes~~ Homes England without undue delay on becoming aware of ~~or reasonably suspects that Personal~~ any breach of the applicable Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Protection Legislation in relation to the Shared Personal Data. 15.5 Whilst each party shall be responsible for responding to any complaint in relation to the Shared Personal Data ~~(including its rights of access~~Processed pursuant to this Agreement, ~~correction~~or any request by individuals to exercise the Data Subject's rights, ~~objection~~ if necessary the parties will co-operate with each other and ~~erasure); and (ii)~~ provide reasonable assistance with any ~~other correspondence~~request, proceedings or inquiry ~~or complaint received from a data subject, regulator~~ by any affected Data Subject and/or the Information Commissioner or other ~~third party~~ body authorised by statute which are concerned with the Data Protection Legislation in connection with the ~~processing of~~ Shared Personal Data Processed under this Agreement. 15.6 The provision of this clause 15 (~~collectively~~Data protection) shall apply during the continuance of the Agreement and indefinitely after its termination. 15.7 The Grant Recipient shall indemnify Homes England against all claims and proceedings and all liability, ~~"Correspondence")~~losses, it costs and expenses incurred in connection therewith by Homes England as a result of the Grant Recipient's destruction of and/or damage to any of the Shared Personal Data processed by the Grant Recipient, its employees, agents, or a Delivery Partner or any breach of or other failure to comply with the obligations in the Data Protection Legislation and/or this clause 15 (Data protection) by the Grant Recipient, its employees, agents or sub-contractors or any Delivery Partners. 15.8 The Grant Recipient shall ~~promptly inform Provider~~ appoint and ~~the parties shall cooperate in good faith as necessary~~ identify an individual within its organisation authorised to respond to enquiries from Homes England concerning the Grant Recipient's and each Delivery Partner's Processing of the Shared Personal Data and will deal with all enquiries from Homes England relating to such ~~Correspondence and fulfill their respective~~ Personal Data promptly, including those from the Information Commissioner. 15.9 The Grant Recipient undertakes to include obligations no less onerous than those set out in this clause 15 (Data protection), in all contractual arrangements with its Delivery Partners, Group Companies, agents or sub-contractors engaged by the Grant Recipient in performing its obligations under ~~Privacy Laws. Upon Provider’s~~ this Agreement to Homes England and to enforce all such obligations on Homes England's request. 15.10 Homes England may, ~~Recipient~~ at any time on not less than thirty (30) Business Days' notice, revise this clause 15 (Data protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall ~~restrict the processing of Personal Data identified~~ apply when incorporated by ~~Provider. Recipient shall not transfer any Personal Data~~ attachment to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Agreement).

Appears in 3 contracts

Sources: Grant Agreement, Grant Agreement, Grant Agreement

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)1. The parties ~~are independent controllers~~ agree to treat the personal data to which they may have access for the purpose indicated in this Educational Cooperation agreement. In accordance with the provisions of ~~their~~ Regulation (EU) 2016/679, contained in Organic Law 3/2018, of 5 December 2018, concerning the Protection of Personal Data and Guarantee of Digital Rights and other development regulations, the processing ~~operations performed~~ of data of a personal nature that derives from this agreement is subject to the provisions of current legal regulations, obliging the parties to comply with ~~such Personal Data~~any obligations that may be required, and not to use personal data for purposes other than those provided for in this agreement nor to disseminate this data or provide it to third parties 2. ~~Taking into account~~ For these purposes, and in accordance with the ~~state~~ provisions of the ~~art~~regulations on data protection, the ~~costs~~ parties will adopt measures that guarantee the adequate security of ~~implementation and~~ personal data in order to avoid unauthorized or illegal treatment, loss, destruction or accidental damage, through the ~~nature, scope, context and purposes~~ application of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ appropriate technical and organizational ~~measures in such a manner that~~ measures. 3. The personal data provided by the Parties referring to the contact persons or signatories shall be processed for the purpose of managing the formalised relationship between them, the legitimate basis for the processing being the execution of ~~Personal Data will meet the requirements of the Privacy Laws~~this contract. ~~Recipient agrees~~ The data provided shall not be passed on to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost~~third parties, ~~damaged or subject~~ unless legally obliged to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident~~do so. ~~In the event that Recipient receives (i) any request from a~~ The data subject to may exercise ~~any of its rights under Privacy Laws in relation to Personal Data (including its~~ his or her rights of access, ~~correction~~rectification, ~~objection~~ erasure, objection, limitation of processing, data portability and, where appropriate, the right not to be subject to automated decisions, by writing to the address of the parties indicated in this agreement. 4. If, as a result of the execution of this agreement, the parties access and ~~erasure); and (ii) any~~ process personal data belonging to the other ~~correspondence~~party, ~~inquiry or complaint received from a data subject, regulator or other third party in connection with~~ they must sign the corresponding contract for the processing of ~~Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ such data. 5. Failure to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer comply with any ~~Personal Data to a territory outside~~ of the ~~European Economic Area ("EEA") unless it has taken~~ above obligations shall be sufficient cause for termination of this agreement, without prejudice to any liabilities of any kind that may be incurred for such ~~measures~~ non-compliance. 6. Each party must hold the other party harmless against all claims, damages, losses, fines, penalties, costs and expenses arising out of legal and/or extrajudicial proceedings due to any breach by that party's personnel of the obligations contained in this clause, not assuming any responsibility as ~~are necessary to ensure~~ a consequence of the ~~transfer is in~~ non-compliance with the ~~Privacy Laws. Such measures~~ regulations in force on data protection in which the other party may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorincur.

Appears in 2 contracts

Sources: Educational Cooperation Agreement, Educational Cooperation Agreement

Data Protection. (a) The ~~parties~~ Operator and the Authority acknowledge and agree that the Authority is a data controller in respect of all personal data processed by the Operator on behalf of the Authority in the performance of the Services, including all Network Data which constitutes personal data, all personal data relating to users of the Ticketing System, passengers on the Network and any individuals whose personal data may be ~~transferred~~ recorded by any CCTV system operated by the Operator under or in connection with this ~~agreement~~ Agreement. (~~“Personal Data”~~b) ~~and each party will fully comply with its respective obligations under~~ To the ~~General~~ extent that the provision of the Services by the Operator involves the processing of personal data (as defined in the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Acts) by the ~~state~~ Operator on behalf of the ~~art~~Authority, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient Operator agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives that: (i) it shall process such personal data in accordance with the instructions of the Authority and the terms of this Agreement; (ii) it shall implement and maintain such security measures as are required to comply with the data security obligations of the Data Protection Acts; (iii) the Authority (or its authorised representative(s)), acting reasonably, shall be entitled, at reasonable times and on reasonable notice, to audit the security measures adopted by the Operator to ensure that such measures comply with the data security obligations of the Data Protection Acts; (iv) it shall report any ~~request from~~ incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of such personal data to the Authority immediately upon becoming aware of such an incident and shall provide the Authority with such co-operation and assistance as may be reasonably required to mitigate against the effect of the security incident; (v) it shall inform the Authority promptly in the event of receiving a data subject ~~to exercise any of its rights under Privacy Laws~~ access request in relation to ~~Personal Data (including its rights of access, correction, objection~~ any such personal data and ~~erasure);~~ shall provide all such co-operation and ~~(ii)~~ assistance as may be required to enable the Authority to deal with any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ subject access request in ~~connection~~ accordance with the ~~processing of Personal~~ Data Protection Acts; (~~collectively, "Correspondence"),~~ vi) it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any ~~Personal Data to a territory~~ such personal data outside of the European Economic ~~Area~~ Area: (~~"EEA"~~A) ~~unless it has taken~~ without the prior written consent of the Authority; and (B) without ensuring that such ~~measures as are necessary to ensure the~~ transfer ~~is in compliance~~ complies with the ~~Privacy Laws. Such measures may include transferring~~ Data Protection Acts; and (vii) it shall at all times comply with the relevant provisions of the Data Protection Acts including any obligation to register as a ~~country that~~ data processor (as defined in the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance~~ Data Protection Acts) with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine~~ Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Commissioner.

Appears in 2 contracts

Sources: Public Service Contract, Public Service Contract

Data Protection. ~~The parties acknowledge~~ 19.1 In performing its obligations under this Agreement, the Parties shall: 19.1.1 comply with the provisions of the Data Protection Legislation insofar as it is applicable to this Agreement; 19.1.2 not process Personal Information for any purpose other than that ~~personal data~~ which may be ~~transferred~~ required to perform its obligations under this ~~agreement (“Personal Data”)~~ Agreement and ~~each party~~ ensure that such processing will ~~fully comply with its respective obligations under~~ not place the ~~General~~ University in breach of any Data Protection ~~Regulation~~ Legislation; 19.1.3 only act on the express instructions of the University in collecting, processing and utilising any Personal Information (~~EU)2016/679~~ and ~~applicable complementing national laws (jointly “Privacy Laws”~~for avoidance of doubt, this Agreement shall constitute such instructions)~~. The parties are independent controllers of their processing operations performed with~~ ; 19.1.4 not disclose or otherwise make available any Personal Information to any third party other than authorised Personnel or sub-contractors who require access to such Personal ~~Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ Information strictly in order for the ~~rights~~ Service Provider to carry out its obligations pursuant to this Agreement, and ~~freedoms of data subjects, Recipient will maintain appropriate technical~~ ensure that such Personnel and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other ~~unlawful processing (a “Security Incident”)~~ persons that have access to the Personal Information are bound by appropriate and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ legally binding confidentiality and non-use obligations in relation to the Personal ~~Data~~ Information. 19.2 The Service Provider shall be responsible for establishing and maintaining an information security system that is designed to: 19.2.1 ensure the security and confidentiality of the all Personal Information and any University information (including ~~its rights~~ any back-ups, where applicable) by the use of ~~access~~encryption for such information at transit and rest; 19.2.2 protect against any anticipated threats or hazards; 19.2.3 protect against unauthorised access to, ~~correction, objection and erasure); and (ii)~~ disclosure or use of any ~~other correspondence, inquiry or complaint received~~ University information; 19.2.4 ensure the proper separation of information belonging to the University from ~~a data subject, regulator or other~~ any third party information; 19.2.5 where appropriate, ensure the proper disposal of information belonging to the University; 19.2.6 preserve the integrity of any information belonging to the University and prevent the corruption, destruction or loss of such information at all times; and 19.2.7 ensure that all sub-contractors of the Service Provider, if any, comply with the provisions of this clause 19. 19.3 The Service Provider will report to the University orally and confirmed in writing any actual and/or suspected breaches such as security incidents, unauthorised access or disclosure of Confidential and/or Personal Information immediately upon discovery of the unauthorised disclosure but in no event more than 2 (two) days after the Service Provider reasonably believes there has been such unauthorised use or disclosure. 19.4 Where the Service Provider (including the Service Provider’s Personnel) is given access (whether direct or remote) to any University Information Technology Systems under or in connection with the ~~processing~~ Agreement, the Service Provider shall (and shall ensure that the Service Provider’s Personnel): 19.4.1 comply with the Rules, requirements or other instructions of ~~Personal Data (collectively~~the University or, ~~"Correspondence")~~where applicable, ~~it shall promptly inform Provider and~~ the ~~parties shall cooperate~~ University’s third party suppliers, regarding use of such University Information Technology Systems; 19.4.2 only use the University Information Technology Systems in ~~good faith as necessary~~ connection with the proper delivery of the Deliverables; 19.4.3 not permit any other individual or entity to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider~~access the University Information Technology Systems; 19.4.4 upon the University’s request, ~~Recipient shall restrict~~ immediately cease access to and use of any University Information Technology Systems and return all University Information Technology Systems (and associated documentation) to the ~~processing of Personal Data identified by Provider. Recipient shall~~ University; and 19.4.5 not ~~transfer~~ reverse engineer, deconstruct, decompile, deactivate or disable any ~~Personal Data~~ University Information Technology Systems or introduce any viruses or other similar code, or take any other action that would cause any damage or harm to ~~a territory outside~~ any Information Technology Systems of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorUniversity.

Appears in 2 contracts

Sources: Service Provider Agreement, Service Provider Agreement

Data Protection. ~~The parties acknowledge~~ Each Party shall in relation to the processing of the Shared Personal Data comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within thirty (30) days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect. Each Party shall comply with the Data Protection Legislation in processing the Shared Personal Data and shall do all things reasonably necessary to assist the other in complying with its obligations under Data Protection Legislation in respect of the Shared Personal Data. In particular, each Party shall: ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data ~~may be transferred under this agreement (“~~and against accidental loss or destruction of, or damage to, Shared Personal Data”) ; ensure that it has all necessary notices and ~~each party will fully comply~~ consents in place to enable lawful transfer of the Shared Personal Data to the other Party for such purposes as the Parties have mutually agreed, and consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data wherever possible; provide the other Party with reasonable assistance in complying with any data subject access request or deletion requests and queries or complaints made under Data Protection Legislation; provide the other Party with reasonable assistance in ensuring compliance with its ~~respective~~ obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation with respect to security, breach notifications, impact assessments and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ consultations with supervisory authorities or regulators; notify the other Party without undue delay on becoming aware of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of any Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ Breach in relation to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Shared Personal Data which it has ~~been or may have been lost, damaged or subject~~ received from the other Party and provide assistance to ~~unauthorized internal or external access or any~~ the other ~~unlawful processing (a “Security Incident”) and~~ Party as is necessary upon reasonable request to ~~take reasonable steps to mitigate~~ facilitate the ~~impact~~ handling of any such ~~Security Incident. In~~ Personal Data Breach in an expeditious and compliant manner; maintain complete and accurate records and information to demonstrate compliance with this Agreement; ensure the ~~event that Recipient receives (i) any request from a data subject to exercise~~ reliability of any of its ~~rights~~ Personnel who have access to personal data and ensure that such Personnel have committed themselves to confidentiality or are under ~~Privacy Laws in relation to Personal Data (including its rights~~ an appropriate statutory obligation of ~~access, correction, objection and erasure)~~confidentiality; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Shared Personal Data ~~to a territory outside of the European Economic Area ("EEA") unless~~ which it has ~~taken such measures~~ received from the other Party internationally or to an international organisation except as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization permitted in accordance with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine~~ Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 2 contracts

Sources: Data Sharing Agreement, Data Sharing Agreement

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection Toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. 3.1 As and from the Effective Date, the Contract shall be amended and supplemented by Clauses 3.2 to 3.11 below. 3.2 The ~~parties acknowledge~~ Merchant authorises the Carrier to process Personal Data provided to the Carrier or which is made available to it for the purposes of providing Services to the Merchant pursuant to the Contract and for any other purposes set out in Schedule 2. 3.3 The Merchant shall be the “Data Controller” and the Carrier shall be a “Data Processor” for the purposes of the Regulation and/or the Applicable Data Protection Law. The Data Subjects, Categories of Personal Data, Processing Operations and Duration of Processing relevant to the provision of the Services are defined in Schedule 2. 3.4 The Merchant represents and warrants that ~~personal data~~ it complies with the Regulation and any Applicable Data Protection Laws regarding the collection, use and all other security measures of the Personal Data, in particular: (a) all of the Personal Data that the Merchant provides or makes available to the Carrier has been lawfully and validly obtained or processed by the Merchant, and can be lawfully disclosed to the Carrier for the provision of Services and any other agreed purposes. The Processing of such Personal Data will be relevant, fair, lawful and proportionate to the respective uses of the Merchant; (b) all Data Subjects have been informed of the Carrier’s Processing of their Personal Data for the agreed purposes and the Merchant can demonstrate a lawful basis for such Processing; and (c) the Merchant has established a procedure for the exercise of the rights of individuals whose Personal Data are collected and are in its custody or under its control. 3.5 The Merchant agrees that the Carrier is permitted to, and instructs the Carrier to: (a) Process all Personal Data that the Carrier collects from, or relating to, the Merchant in order to provide the Services under the Contract, including but not limited to transferring Personal Data to competent bodies, courts or regulatory authorities in order to provide the Services, comply with Applicable Data Protection Laws or comply with requests from such bodies, courts or authorities; (b) disclose or transfer the Personal Data to its Affiliates, and any of its employees, agents, delegates, Sub-Processors, or competent authorities (including customs and tax authorities) and bodies in order to provide the Services or services ancillary thereto; (c) Process the Personal Data to carry out actions or investigations that the Carrier considers appropriate to meet its obligations arising from applicable laws relating to fraud prevention, sanction, money laundering, terrorist, bribery, corruption, and the provision of other services to persons who may be ~~transferred under this agreement~~ subject to economic or trade sanctions (~~“Personal Data”~~including disclosure to Sub- Processors); (d) ~~and each party will fully~~ report regulatory related information to competent bodies or authorities in order to comply with its ~~respective obligations~~ legal and regulatory obligations; (e) retain the Personal Data for so long as it is required to provide the Services or perform investigations in relation to such, or otherwise required by Applicable Data Protection Law and/or justified under the ~~General~~ relevant English or other statutory limitation periods (as applicable), whichever is the later; and (f) Process, retrieve or track the Personal Data for the purpose of updating the Merchant’s records for fees and billing, improving service, servicing the client relationship, developing, operating, maintaining and improving Carrier’s services, products, websites, software and/or other business tools, conducting system testing, troubleshooting and to advise the Merchant of other products and services offered by the Carrier and/or its Affiliates. 3.6 Unless otherwise prevented by Applicable Data Protection ~~Regulation~~ Laws, the Carrier agrees that it will (~~EU)2016/679~~ a) Process the Personal Data only on behalf of the Merchant and in compliance with the written instructions of the Merchant and this Agreement. If it is required by any applicable ~~complementing national~~ laws ~~(jointly “Privacy Laws”). The parties are independent controllers~~ to process or disclose Personal Data for purposes other than those agreed, it shall promptly inform the Merchant of ~~their~~ that legal requirement before processing ~~operations performed with such~~ the Personal Data~~. Taking into account~~ ; (b) as soon as practicable inform the ~~state of~~ Merchant if in the ~~art~~Carrier’s opinion, and without any obligation to perform any legal assessment, an instruction given to it breaches the ~~costs of implementation and the nature~~Regulation, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Applicable Data Protection Law and/or any applicable laws; (c) take appropriate technical and ~~organizational~~ organisational measures ~~in such a manner~~ against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, the Personal Data, and ensure that ~~processing of~~ all persons who have access to process Personal Data ~~will meet~~ have committed themselves to appropriate obligations of confidentiality; (d) provide reasonable assistance to the ~~requirements~~ Merchant to enable it to comply with (i) the rights of Data Subjects; (ii) the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ security requirements; and (iii) any privacy assessment procedure or consultation, as required under the Regulation and/or Applicable Data Protection Law; (e) inform the Merchant without delay of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request for the disclosure of the Personal Data by a law enforcement authority; (ii) any incident which gives rise to a risk of unauthorised access, disclosure, loss, destruction, misuse or alternation of Personal Data; (iii) any notice, inquiry or investigation by a Supervisory Authority; and (iv) any complaint or request (in particular, requests for access to, rectification or blocking, erasure and destruction of Personal Data) received directly from the Data Subjects; (f) notify the Merchant as soon as it becomes aware of a ~~data subject~~ Reportable Breach and will provide the Merchant with reasonable assistance in responding to ~~exercise~~ and mitigating it. Where the Reportable Breach is connected to the Carrier’s Processing of the Personal Data, the Merchant shall provide the Carrier with a copy of the intended notification (if any) to be made by the Merchant to the affected Data Subjects and/or Supervisory Authority for the Carrier’s prior written approval; and (g) upon termination of the Contract, the Personal Data shall, at the Merchant’s option, be destroyed or returned to the Merchant. 3.7 The Merchant acknowledges and agrees that the Carrier shall be permitted to perform any or all of its ~~rights under Privacy Laws in relation to~~ Personal Data processing obligations through its Affiliates, subcontractors, or continue to use sub-contractors engaged by the Carrier, provided that (~~including~~ i) the Carrier shall remain liable to the Merchant for such performance of its ~~rights of access, correction, objection and erasure)~~Personal Data processing obligations by any Affiliate or subcontractor; and (ii) ~~any other correspondence, inquiry~~ all Affiliates or ~~complaint received from a data subject, regulator~~ subcontractors engaged by the Carrier shall be bound by the terms of an agreement which contain the same or ~~other third party in connection~~ equivalent obligations with ~~the processing of~~ respect to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing ~~of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures~~ as are ~~necessary to ensure~~ imposed on the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCarrier under this Agreement.

Appears in 2 contracts

Sources: Data Processing Agreement, Data Processing Agreement

Data Protection. 8.1 Each party will comply with all applicable requirements of the Data Protection Legislation. This Clause is in addition to, and does not relieve, remove or replace, either party’s obligations under the Data Protection Legislation. 8.2 The parties acknowledge that ~~personal data~~ Personal Data of Licensee personnel may be ~~transferred under this agreement (“~~provided to Blue Prism for the provision of Support Services during the Agreement Term, in which case Licensee shall be the Data Controller and Blue Prism shall be the Data Processor. Such Personal ~~Data”)~~ Data may include Licensee personnel names, work email address, job information and ~~each party~~ work telephone number and shall be used by Blue Prism to communicate with Licensee in the providing the Support Services and manage Support Service requests. 8.3 Save as set out in Clause 8.2, Licensee shall not provide any Personal Data to Blue Prism for processing by Blue Prism on Licensee’s behalf. 8.4 Licensee will ~~fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679~~ ensure that it has all necessary appropriate consents and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state notices in place to enable lawful transfer of the ~~art,~~ Personal Data to Blue Prism for the ~~costs of implementation and the nature, scope, context~~ duration and purposes of ~~processing~~ this Agreement in order for Blue Prism to provide Support Services. 8.5 Blue Prism shall in relation to any Personal Data processed in connection with the performance of its obligations under this Agreement: 8.5.1 process that Personal Data only on the written instructions of Licensee as ~~well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ described in Clause 8.2 or otherwise agreed; 8.5.2 ensure that it has in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that~~ to protect against unauthorised or unlawful processing of Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ and against accidental loss or destruction of, or damage to, Personal Data; 8.5.3 ensure that all Blue Prism personnel who have access to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ and/or process Personal Data ~~has been or may have been lost, damaged or subject~~ are obliged to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ keep the ~~impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Personal Data ~~(including its rights of access, correction, objection and erasure)~~confidential; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not and 8.5.4 only transfer any Personal Data ~~to a territory~~ outside of the European Economic Area to its Affiliates and sub- contractors (~~"EEA"~~Licensee’s permission for which is hereby given) if: (a) Blue Prism has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) Blue Prism complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) Blue Prism complies with reasonable instructions notified to it in advance by Licensee with respect to the processing of the Personal Data; 8.5.5 provide reasonable assistance to Licensee in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.5.6 notify Licensee without undue delay on becoming aware of a Personal Data breach; 8.5.7 at the written direction of Licensee, delete or return Personal Data and copies thereof to Licensee on termination or expiry of the Agreement unless required by applicable law to store the Personal Data; and 8.5.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. 8.6 Licensee consents to Blue Prism appointing third-party processors of Personal Data, including Blue Prism Affiliates, in order to provide Support Services to Licensee under this Agreement. Where a third-party processor is not a Blue Prism Affiliate, Blue Prism confirms that it has ~~taken such measures as~~ entered into a written agreement substantially on that third party’s standard terms of business. Further details of Blue Prism’s third-party processors are ~~necessary~~ included in the Blue Prism Privacy Policy. As between Licensee and Blue Prism, Blue Prism shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Clause.

Appears in 2 contracts

Sources: Software License Agreement, License Agreement

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: Framework Agreement for the Supply of Goods and the Provision of Services, Framework Agreement

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WME may process personal data ~~may be transferred~~ in connection with this Agreement and the products and services that it provides under ~~this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ it. For the ~~General~~ purposes of the Applicable Data Protection ~~Regulation (EU)2016/679~~ Laws, WME is a controller in respect of the processing of this personal data and ~~applicable complementing national laws (jointly~~ is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WME be deemed to be a processor on behalf of, or a joint controller with, the Client. WME explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WME refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws”), and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The ~~parties are independent controllers of their processing operations performed~~ Client undertakes, where it transfers personal data to WME, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WME is accurate and up to date, and that it promptly notifies WME if it becomes aware that such ~~Personal Data~~personal data is incorrect. ~~Taking into account~~ Where the ~~state of the art~~Client provides personal data to WME, the ~~costs~~ Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of ~~implementation and~~ those individuals to WME’s Privacy Notice. In addition, the ~~nature, scope, context and purposes~~ Client shall promptly notify those individuals of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of any material changes to the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentNotice when advised by WME. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection with this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. 22.1 In relation to any Processing of Disclosed Data undertaken by the Supplier on behalf of the University pursuant to the Contract, the University and the Supplier acknowledge that, for the purposes of Data Protection Law, the University is the Data Controller and the Supplier is the Data Processor of such Disclosed Data. 22.2 The ~~parties acknowledge~~ Parties agree that ~~personal~~ the Supplier may only process Disclosed Data on and in the Supplier or the Supplier’s Sub-Contractors’ data centres in the EEA and the Disclosed Data may not be ~~transferred~~ stored, transferred, located or otherwise processed outside of such area. Neither the Supplier nor any of its Sub- Contractors are entitled to transfer any the Disclosed Data outside of the EEA without the University’s prior written consent (and otherwise procuring the University’s compliance with the Eighth Data Protection Principle of the Data Protection ▇▇▇ ▇▇▇▇ or equivalent restrictions under ~~this agreement (“Personal Data”)~~ Data Protection Law). 22.3 The Supplier warrants and ~~each party will fully comply~~ undertakes that it is solely responsible for ensuring that the Disclosed Data is processed by it in accordance with the Data Protection Law from the date that it is received from the University. 22.4 The Supplier undertakes to the University that it shall use the Disclosed Data only for purposes necessary for the performance of its ~~respective~~ obligations under the ~~General~~ Contract and only in accordance with the instructions given from time to time by the University. 22.5 The Supplier shall (and shall procure that any of the Supplier's Personnel involved in the provision of the Contract shall) comply with any notification requirements under Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy~~ both Parties shall duly observe all their obligations under Data Protection Laws~~”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party which arise in connection with the ~~processing~~ Contract. Supplier’s Personnel 22.6 The Supplier will ensure that access to the Disclosed Data is limited to: (a) Supplier’s Personnel who need access to the Disclosed Data to meet the Supplier's obligations under the Contract (the “Relevant Employees”); and (b) in the case of ~~Personal~~ any access by any of the Supplier’s Personnel, such part or parts of the Disclosed Data as is strictly necessary for performance of said Supplier’s Personnel duties. 22.7 The Supplier will ensure that its Relevant Employees: (~~collectively, "Correspondence"), it shall promptly inform Provider~~ a) only Process Disclosed Data to the extent permitted by the Contract; (b) are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature; (c) have undertaken training in Data Protection Law; and (d) are aware of the Supplier's obligations under such Data Protection Law and the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request~~Contract. 22.8 Without affecting the generality of clause 22.7, ~~Recipient shall restrict~~ the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Supplier will take appropriate steps to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make reliability of any ~~effort to identify individuals who are or may be the donors~~ of the ~~Original Material and may not combine Data or results of~~ Supplier's Personnel who have access to the ~~Project with other data which may result in identification of a donor~~Disclosed Data.

Appears in 2 contracts

Sources: Purchase Agreement, Purchase Agreement

Data Protection. 11.1 The ~~parties acknowledge~~ Supplier/Contractor warrants and represents to the Purchaser that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ it shall comply with ~~its respective~~ the Data Protection Laws. 11.2 Without prejudice to Condition 12.1, the Supplier/Contractor shall: 11.2.1 process Personal Data only as necessary in accordance with obligations under the ~~General Data Protection Regulation~~ Contract and any written instructions given by the Purchaser (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”~~which may be specific or of a general nature)~~. The parties are independent controllers of their processing operations performed~~ , including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data ~~will meet~~ outside the ~~requirements~~ European Economic Area unless required to do so by European Union or Member state law or regulatory body to which the Supplier/Contractor is subject; in which case the Supplier/Contractor must, unless prohibited by that law, inform the Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner as is necessary for the performance of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ Supplier/Contractor's obligations under this Contract or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or~~ as is required by law; 11.2.2 subject to ~~unauthorized internal~~ Condition 12.2.1 only process or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not otherwise transfer any Personal Data in or to ~~a territory~~ any country outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary~~ with the Purchaser prior written consent; 11.2.3 take all reasonable steps to ensure the ~~transfer is in compliance~~ reliability and integrity of any of its personnel who have access to the Personal Data and ensure that such personnel are: aware of and comply with the ~~Privacy Laws. Such measures may include transferring~~ terms of this Condition 12; subject to appropriate confidentiality undertakings; informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to ~~a country that~~ any third party unless directed in writing to do so by the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Purchaser or as otherwise permitted by this Contract; 11.2.4 implement appropriate technical and organisational measures in accordance with ~~Privacy Laws;~~ Article 32 of the GDPR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to ~~a Recipient that has executed standard contractual clauses adopted~~ the harm which might result from any unauthorised or ~~approved~~ unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 11.2.5 provide to the Purchaser reasonable assistance including by ~~the European Commission. Recipient will not make any effort to identify individuals who are or~~ such technical and organisational measures as may be ~~the donors~~ appropriate in complying with Articles 12-23 of the ~~Original Material and may not combine Data or results~~ GDPR; 11.2.6 If the Supplier/Contractor engages a sub-contractor for carrying out Processing activities on behalf of the ~~Project with other~~ Purchaser, the Supplier/Contractor must ensure that the same data ~~which may result~~ protection obligations as set out in ~~identification~~ this Contract are imposed on the sub-contractor by way of a ~~donor~~written and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier/Contractor shall remain fully liable to the Purchaser for the performance of the sub-contractor's performance of the obligations; and 11.2.7 ensure it does not knowingly or negligently do or omit to do anything which places the Purchaser in breach of the Purchaser obligations under the Data Protection Laws.

Appears in 2 contracts

Sources: Purchase Order Terms and Conditions, Purchase Order Terms and Conditions

Data Protection. ~~The parties~~ With respect to the Parties' rights and obligations under this Agreement, the Parties acknowledge that ~~personal data may be transferred under this agreement (“Personal~~ in relation to any Customer Data”) , the Customer is a controller and ~~each party will fully comply with its~~ the Supplier is a processor. The Parties acknowledge their respective obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”)~~shall give each other such assistance as is reasonable to enable each other to comply with such obligations, however, for the avoidance of doubt the Customer agrees that where Entrust has satisfied a contractual obligation under this Agreement, then such satisfaction of the contractual obligation is deemed to satisfy the same or similar requirement under the Data Protection Legislation. The ~~parties are independent controllers of their~~ Customer warrants, represents and undertakes to Entrust that it has lawful grounds for processing ~~operations performed with such Personal~~ the Customer Data. ~~Taking into account~~ The Parties confirm that the ~~state~~ following information will be provided after the GDPR application date: subject matter and duration of the ~~art,~~ processing; the ~~costs~~ nature and purpose of ~~implementation and~~ the ~~nature, scope, context and purposes~~ processing; the type of ~~processing as well as~~ personal data; the ~~risk of varying likelihood and severity for the rights and freedoms~~ categories of data subjects; the obligations and rights of the Customer. Where Entrust processes the Customer Data under or in connection with this Agreement, ~~Recipient will maintain~~ Entrust shall: a) save as required otherwise by law, only process such the Customer Data as is necessary to perform its obligations under this Agreement, and only in accordance with the Customer’s documentedinstructions. b) put in place appropriate technical and ~~organizational~~ organisational measures to meet its own obligations under the Data Protection Legislation and which the Customer agrees are appropriate measures; c) ensure Entrust staff who will have access to the Customer Data are subject to appropriate confidentiality obligations; d) be entitled to engage Sub-Processors to process the Customer Data subject to Entrust ensuring that equivalent requirements to those set out in ~~such a manner that processing of Personal Data will meet~~ this clause are imposed on any sub-processor(s), Entrust remaining fully liable to the ~~requirements~~ Customer for the performance of the ~~Privacy Laws. Recipient agrees~~ sub-processor’s obligations and where applicable, providing to ~~notify Provider within a period~~ the Customer reasonable prior notice of ~~48 hours where Recipient becomes aware of~~ any addition, removal or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact replacement of any such ~~Security Incident. In~~ Sub-Processors; e) not process or transfer the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Customer Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary to ensure~~ without the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors prior documented consent of the ~~Original Material~~ Customer; f) have in place the appropriate technical and ~~may not combine~~ organisational security measures to protect the Customer Data against accidental or ~~results of the Project with other data which may result in identification of a donor.~~unlawful destruction, loss, alteration, unauthorised disclosure or access;

Appears in 2 contracts

Sources: Service Agreement, Service Agreement

Data Protection. 13.1 The ~~parties~~ Parties acknowledge that ~~personal data may be transferred under this agreement (“~~they are independent Data Controllers in respect of any Personal ~~Data”)~~ Data processed by them and ~~each party will fully~~ agree to comply with ~~its respective~~ their obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation. 13.2 Each party shall comply with all the obligations imposed on a Controller under the Data Protection Legislation, and ~~applicable complementing national laws (jointly “Privacy Laws”).~~ any material breach of the Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect. 13.3 The Provider shall and shall procure that any of the Provider’s Personnel, Sub- Contractors and any other employees or third parties ~~are independent controllers~~ involved in the provision of the Services shall comply with their obligations under the Data Protection Legislation. 13.4 For the avoidance of doubt, it is stated here that neither Party is a Data Processor on behalf of the other Party in furtherance of their ~~processing operations performed with such~~ obligations under this Agreement. In the event it is established at any time during this Agreement that Personal ~~Data. Taking into account~~ Data is to be processed by the ~~state~~ Provider under this Agreement on behalf of the ~~art~~Council then the Provider shall: (a) immediately enter into a data processing agreement with the Council on reasonable terms to be determined by the Council to ensure full compliance with Data Protection Legislation; and (b) indemnify and keep the Council indemnified in full for any and all consequences (including a Personal Data breach) arising as a result of the Provider’s failure to comply with any of its obligations under this Clause 13.413. 13.5 Failure by the Provider to enter into a data processing agreement in accordance with Clause 13.4 shall be deemed a fundamental breach which shall entitle the Council to immediately terminate the Agreement without consequence or any liability under this Agreement. 13.6 Any clause in this Agreement limiting the Provider’s liability in respect of any obligations, claims, losses, damages, liabilities, fines, penalties, interest or otherwise under the ~~costs~~ Data Protection Legislation and/or this Clause shall not apply. 13.7 Upon the termination or expiry of ~~implementation~~ this Agreement the Provider shall ensure that all Personal Data held by it shall be up-to-date and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ accurate. Where it is necessary in order for the ~~rights~~ efficient transition of Services to the Council or a replacement provider or to a third party to be achieved then the Provider being the transferring Party shall, having first satisfied itself that such transfer is compliant with all laws, transfer current and ~~freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of~~ required Personal Data ~~will meet~~ to the Council or any replacement provider or to the third party in a secure manner and shall take all reasonable steps, at its own cost, to provide the Personal Data in a usable and compatible format. 13.8 Historical personal data shall be retained by the Provider in accordance with legal retention requirements. Personal Data which cannot be lawfully retained shall be securely deleted in accordance with Data Protection Legislation and good industry practice. 13.9 The provisions of this clause shall apply during the continuance of this Agreement and indefinitely after its expiry or termination. 13A.1 The Provider acknowledges that the Council is subject to the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) FOIA and ~~to take reasonable steps to mitigate~~ the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection Environmental Information Regulations and ~~erasure);~~ shall assist and ~~(ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection~~ co-operate with the ~~processing of Personal Data~~ Council (~~collectively, "Correspondence"), it shall promptly inform Provider and~~ at the ~~parties shall cooperate in good faith as necessary~~ Provider's expense) to ~~respond~~ enable them to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance comply with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthese information disclosure requirements.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. 16.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 16.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 16.3 Without prejudice to the generality of clause 16.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data ~~may be transferred~~ to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this ~~agreement~~ agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). ~~The parties are independent controllers~~ Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of ~~their~~ this before performing the processing ~~operations performed with such Personal Data. Taking into account~~ required by the ~~state~~ Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the ~~art, the costs of implementation~~ European Economic Area and the ~~nature, scope, context and purposes of processing as well as~~ United Kingdom unless the ~~risk of varying likelihood and severity for~~ following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and ~~freedoms~~ effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data ~~subjects, Recipient will maintain appropriate technical and organizational measures~~ that is transferred; and (D) FSI complies with reasonable instructions notified to it in ~~such a manner that~~ advance by the Client with respect to the processing of ~~Personal Data will meet~~ the ~~requirements of~~ personal data; (iii) assist the ~~Privacy Laws. Recipient agrees~~ Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise any~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 16 and immediately inform the Client if, in ~~relation~~ the opinion of FSI, an instruction infringes the Data Protection Legislation. 16.4 The Client hereby consents to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ FSI appointing third party ~~in connection with~~ sub-processors (and the ~~processing of Personal Data (collectively, "Correspondence"), it~~ Client shall promptly ~~inform Provider and~~ confirm its consent to the ~~parties shall cooperate~~ appointment of such persons as FSI requires in ~~good faith as necessary to respond to~~ writing) provided that such ~~Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall~~ sub-processors will not ~~transfer any Personal Data to a territory~~ store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer (~~"EEA") unless~~ which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 16.5 Each party shall ensure that it has ~~taken such measures as are necessary to ensure the transfer is~~ in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the ~~European Commission. Recipient will not make any effort~~ other party, to ~~identify individuals who are~~ protect against unauthorised or ~~may be~~ unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the ~~donors~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Original Material~~ data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may ~~not combine Data or results~~ include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the ~~Project with other data which may result in identification of a donor~~technical and organisational measures adopted by it).

Appears in 2 contracts

Sources: Saas Agreement, Saas Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ob▇▇▇▇▇▇▇▇s under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" b▇ ▇▇▇ ▇▇ropean Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Data ▇▇▇▇▇▇▇▇on (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and ▇▇▇ ▇▇▇▇gages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 2 contracts

Sources: Administration Agreement (Granite Mortgages 03-1 PLC), Administration Agreement (Granite Mortgages 03-3 PLC)

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection Toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol of these Call-off Terms and Conditions, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: NHS Framework Agreement for the Provision of Services, NHS Framework Agreement for the Provision of Services

Data Protection. 11.1. The ~~parties acknowledge~~ LICENSEE acknowledges that in connection with the performance of its obligations under this Agreement PerfectForms may carry out Processing on Personal Data and sensitive personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state relating to employees of the ~~art~~LICENSEE. PerfectForms shall use its best endeavors to carry out such Processing in compliance with any applicable data protection legislation in force from time to time, and shall, without limitation to the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain foregoing 11.1.1. Take appropriate technical and organizational measures ~~in such a manner that~~ against unauthorized or unlawful processing of LICENSEE Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, LICENSEE Personal Data 11.1.2. Only disclose LICENSEE Personal Data or information extracted from such data to third parties with the ~~requirements~~ prior written approval of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentLICENSEE 11.1.3. In the event that ~~Recipient receives (i) any request from a data subject~~ PerfectForms is compelled to ~~exercise any~~ conform to edicts of ~~its rights under Privacy Laws in relation to Personal Data (including its rights of access~~the law, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to subpoenas, to court orders, or legal processes, then, subject to any restrictions, PerfectForms shall promptly notify such ~~Correspondence~~ employee of the LICENSEE of such request and ~~fulfill their respective obligations under Privacy Laws~~respond promptly to any request for information made by the LICENSEE in respect of such subject access 11.2. ~~Upon Provider’s request, Recipient shall restrict~~ The LICENSEE acknowledges that it is solely responsible for the ~~processing~~ creation of all LICENSEE Personal Data ~~identified by Provider~~upon which PerfectForms carries out Processing under this Agreement. ~~Recipient~~ The LICENSEE shall ~~not transfer any~~ make obtain and maintain all necessary notifications authorizations and consents the LICENSEE is required to have for the Processing of LICENSEE Personal Data to ~~a territory outside~~ be carried out by PerfectForms under this Agreement. PerfectForms acknowledges that LICENSEE Personal Data in the possession of PerfectForms shall at all times remain the ~~European Economic Area ("EEA") unless it has taken~~ property of LICENSEE 11.3. The LICENSEE hereby instructs PerfectForms to carry out such ~~measures~~ Processing on LICENSEE Personal Data as ~~are necessary~~ is reasonably required by PerfectForms to ~~ensure~~ perform its obligations under this Agreement. The LICENSEE may vary the ~~transfer is in compliance~~ instruction given by this clause 11.3 with respect to the ~~Privacy Laws. Such measures may include transferring~~ Processing of LICENSEE Personal Data at any time by written notice to PerfectForms provided that PerfectForms shall have no liability of any kind to the ~~Data to a country that~~ LICENSEE for any loss or damage suffered by or claim made by any person against the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance~~ LICENSEE arising directly or indirectly from PerfectForms complying with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.such notice

Appears in 2 contracts

Sources: Support and Maintenance Agreement, Support and Maintenance Agreement

Data Protection. The ~~parties acknowledge~~ Service Provider shall (and shall procure that ~~personal data may be transferred under this agreement (“Personal Data”~~its entire Staff shall) ~~and each party will fully~~ comply with ~~its respective~~ any notification requirements under the DPA and both Parties will duly observe all of their obligations under the ~~General~~ DPA which arise in connection with this Framework Agreement. Notwithstanding the general obligation in Clause 22.1, where the Service Provider is processing personal data (as defined by the DPA) as a data processor for the Authority (as defined by the DPA) the Service Provider shall ensure that it has in place appropriate technical organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection ~~Regulation (EU)2016/679~~ Principle in Schedule 1 to the DPA; and ~~applicable complementing national laws (jointly “Privacy Laws”)~~provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the DPA; promptly notify the Authority of any breach of the security measures required to be in place pursuant to this Clause 22; and ensure it does not knowingly or negligently do or omit to do anything which places the Authority in breach of the Authority’s obligations under the DPA. The ~~parties are independent controllers~~ provisions of ~~their processing operations performed with such Personal Data~~this Clause 22 shall apply during the Term and indefinitely after its expiry. ~~Taking into account~~ FREEDOM OF INFORMATION The Service Provider acknowledges that the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Authority is subject to the requirements of the ~~Privacy Laws~~FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to enable the Authority to comply with its Information disclosure obligations. ~~Recipient agrees~~ The Service Provider shall and shall procure that its Sub-Contractors shall:- transfer to ~~notify Provider~~ the Authority all Requests for Information that it receives as soon as practicable and in any event within two (2) Working Days of receiving a Request for Information; provide the Authority with a copy of all Information, relevant to a Request for Information, in its possession or power, in the form that the Authority requests within five (5) Working Days (or such other period as the Authority may specify) of ~~48 hours where Recipient becomes aware~~ the Authority's request; and provide all necessary assistance reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access~~ regulation 5 of the Environmental Information Regulations. The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Framework Agreement or any other ~~unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ agreement whether the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) Commercially Sensitive Information and/or any other ~~correspondence, inquiry or complaint received~~ Information is exempt from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization disclosure in accordance with ~~Privacy Laws~~the provisions of the FOIA or the Environmental Information Regulations. In no event shall the Service Provider respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Service Provider acknowledges that (notwithstanding the provisions of this Clause 23) the Authority may, acting in accordance with the Ministry of Justice’s Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information ▇▇▇ ▇▇▇▇ (“the Code”), be obliged under the FOIA, or the Environmental Information Regulations to disclose Information concerning the Service Provider or the Services:- in certain circumstances without consulting the Service Provider; or following consultation with the Service Provider and having taken their views into account, provided always that where Clause 23.5 applies the Authority shall, in accordance with any recommendations of the Code, take reasonable steps, where appropriate, to ~~a Recipient~~ give the Service Provider advanced notice, or failing that, to draw the disclosure to the Service Provider's attention after any such disclosure. The Service Provider shall ensure that ~~has executed standard contractual clauses adopted or approved by~~ all Information is retained for disclosure in accordance with Clause 18 and shall permit the ~~European Commission~~Authority to inspect such records as requested from time to time. ~~Recipient will~~ The Service Provider acknowledges that the Commercially Sensitive Information listed in Schedule 12 is of indicative value only and that the Authority may be obliged to disclose it in accordance with Clause 23.5. PUBLICITY Subject to Clause 25 (Marketing) the Service Provider shall not make any ~~effort~~ press announcements or publicise this Framework Agreement in any way without the Authority’s prior written consent. The Authority shall be entitled to ~~identify individuals who are~~ publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit ▇▇▇ ▇▇▇▇ or otherwise. The Service Provider shall not do anything to cause anything to be done, which may be damage the ~~donors~~ reputation of the ~~Original Material and may not combine Data~~ Authority or ~~results of~~ bring the ~~Project with other data which may result in identification of a donor~~Authority into disrepute.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. 9.1 Acolyte shall, in providing access to the Application and in preparing Intelligence Reports and Insight Reports, comply with Data Protection Legislation and with its Data Protection & Privacy Policy relating to the privacy and security of the personal data processed under this Agreement, which is available on the Acolyte website. Acolyte reserves the right to amend its policies as required. 9.2 Each party shall ensure compliance with all applicable Data Protection Legislation when processing personal data. 9.3 The parties acknowledge that each of them is a controller of the Candidate Data processed in connection with this Agreement. The Parties agree to regulate the processing of Candidate Data as set out in Schedule 2. 9.4 The parties acknowledge that any preceding or subsequent data processing activities involving Candidate Data will fall outside the scope of this Agreement. 9.5 Acolyte may record telephone and video calls for training and monitoring purposes, and all recordings shall be held in accordance with Data Protection Legislation. 9.6 The Client acknowledges that the personal data shall be stored within the EU or the UK but may be ~~transferred~~ accessed or processed in accordance with applicable legislation outside the EU or the country where ▇▇▇▇▇▇▇’s delivery team, the Client and the Authorised Users are located in order to provide access to the Application, and perform Acolyte’s obligations under this ~~agreement (“Personal Data”)~~ Agreement. Any transfer of personal data outside the EU or the UK will be subject to a Data Transfer Impact Assessment to confirm that the recipient ensures adequate protection for personal data and that the data subject has enforceable rights and effective legal remedies; 9.7 Where relevant, the parties shall ensure that each of them is entitled to transfer the relevant personal data to the other party ~~will fully comply~~ so that it may be lawfully used, processed and transferred in accordance with this Agreement; 9.8 The parties shall ensure that the relevant third parties have been informed of, and, where applicable, have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 9.9 Each party shall take appropriate administrative, physical, technical and organisational measures against unauthorised or unlawful processing of the personal data and Candidate Data or its ~~respective obligations under~~ accidental loss, destruction or damage; and 9.10 The Client represents that the ~~General~~ Client has established appropriate confidentiality, privacy and security policies and safeguards consistent with Data Protection ~~Regulation (EU)2016/679~~ Legislation, and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ industry standards and that the ~~state of the art, the costs of implementation~~ Client will educate Authorised Users on these policies and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ safeguards. 9.11 Acolyte shall follow its archiving procedures for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentpersonal data. In the event ~~that Recipient receives (i)~~ of any ~~request~~ loss or damage to Candidate Data, the Client’s sole and exclusive remedy shall be for Acolyte to use reasonable commercial endeavours to restore the lost or damaged Candidate Data from ~~a data subject to exercise any~~ the latest back- up of ~~its rights under Privacy Laws in relation to Personal~~ such Candidate Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified maintained by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Acolyte in accordance with ~~Privacy Laws;~~ the archiving procedure. Acolyte shall not be responsible for any loss, destruction, alteration or disclosure of Candidate Data caused by any third party (except those third parties subcontracted by Acolyte to ~~a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort~~ perform services related to ~~identify individuals who are or may be the donors of the Original Material~~ Candidate Data maintenance and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~back-up).

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. 15.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 15 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 15.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 15.3 Without prejudice to the generality of clause 15.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data ~~may be transferred~~ to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this ~~agreement~~ agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). ~~The parties are independent controllers~~ Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of ~~their~~ this before performing the processing ~~operations performed with such Personal Data. Taking into account~~ required by the ~~state~~ Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the ~~art, the costs of implementation~~ European Economic Area and the ~~nature, scope, context and purposes of processing as well as~~ United Kingdom unless the ~~risk of varying likelihood and severity for~~ following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and ~~freedoms~~ effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data ~~subjects, Recipient will maintain appropriate technical and organizational measures~~ that is transferred; and (D) FSI complies with reasonable instructions notified to it in ~~such a manner that~~ advance by the Client with respect to the processing of ~~Personal Data will meet~~ the ~~requirements of~~ personal data; (iii) assist the ~~Privacy Laws. Recipient agrees~~ Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise any~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 15 and immediately inform the Client if, in ~~relation~~ the opinion of FSI, an instruction infringes the Data Protection Legislation. 15.4 The Client hereby consents to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ FSI appointing third party ~~in connection with~~ sub-processors (and the ~~processing of Personal Data (collectively, "Correspondence"), it~~ Client shall promptly ~~inform Provider and~~ confirm its consent to the ~~parties shall cooperate~~ appointment of such persons as FSI requires in ~~good faith as necessary to respond to~~ writing) provided that such ~~Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall~~ sub-processors will not ~~transfer any Personal Data to a territory~~ store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer (~~"EEA") unless~~ which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 15.5 Each party shall ensure that it has ~~taken such measures as are necessary to ensure the transfer is~~ in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the ~~European Commission. Recipient will not make any effort~~ other party, to ~~identify individuals who are~~ protect against unauthorised or ~~may be~~ unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the ~~donors~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Original Material~~ data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may ~~not combine Data or results~~ include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the ~~Project with other data which may result in identification of a donor~~technical and organisational measures adopted by it).

Appears in 2 contracts

Sources: Managed Services Agreement, Managed Services Agreement

Data Protection. ~~The parties~~ Where any Personal Data is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that ~~personal data~~ either Party may be ~~transferred~~ a Data Controller or a Data Processor. The Parties shall: Process the Personal Data only in accordance with instructions from the other to perform its obligations under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Framework Agreement; ensure that at all times it has in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing~~ to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or employee unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data ~~will meet~~ to any third party, obtain the ~~requirements~~ prior written consent of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours~~ other (save where ~~Recipient becomes aware of~~ such disclosure or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”~~transfer is specifically authorised under this Framework Agreement) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability and integrity of any ~~such Security Incident. In~~ employee who has access to the Personal Data and ensure that they: are aware of and comply with the Provider’s duties under the Framework Agreement; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the disclosing Party or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data (as defined in the DPA); notify the disclosing Party immediately if it becomes aware of an event that ~~Recipient receives~~ results, or may result, in unauthorised access to Personal Data held by the other under a Call-Off Contract, and/or actual or potential loss and/or destruction of Personal Data in breach of a Call-Off Contract, including any Personal Data breach or if it receives: from a Data Subject (ior third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to either Parties obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from ~~a data subject~~ any third party for disclosure of Personal Data where compliance with such request is required or purported to ~~exercise any of its rights under Privacy Laws~~ be required by Law; provide the disclosing Party with full cooperation and assistance (within the timescales reasonably required by the Disclosing Party) in relation to any complaint, communication or request made (as referred to at Clause 21.2.5) including by promptly providing: full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested to enable the disclosing Party to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and on request any Personal Data ~~(including its rights of access, correction, objection and erasure)~~it holds in relation to a Data Subject; and if requested by the disclosing Party provide a written description of the measures it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 21.2 and provide copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Parties agree that they shall not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Commencement Date, either Party or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country outside the European Economic Area, the following provisions shall apply: the Data Processor shall propose a variation to the Data Controller which, if it is agreed, shall be dealt with in accordance with the Framework Agreement Variation Procedure; the Data Processor shall set out in its proposal for a variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Provider will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries to ensure the Data Controllers compliance with the DPA; in providing and evaluating the variation, the Parties shall ensure that they have regard to and comply with then-current the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Data Processor shall comply with such other instructions and shall carry out such other actions as the Data Controller may notify in writing, including: incorporating standard and/or model clauses (iiwhich are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any ~~other correspondence, inquiry or complaint received from a data subject, regulator~~ Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in ~~connection~~ any Restricted Countries either enters into: a direct data processing agreement with the Data Controller on such terms as may be required by them; or a data processing of agreement with the Data Processor on terms which are equivalent to those agreed between the Data Controller and the Sub-Contractor relating to the relevant Personal Data ~~(collectively~~transfer, ~~"Correspondence"), it shall promptly inform Provider~~ and in each case which the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures Parties acknowledge may include ~~transferring~~ the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or incorporation of model contract provisions (which are approved by the European ~~Commission~~Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Data Controller deems necessary for protecting Personal Data. ~~Recipient will not make~~ The Parties shall use reasonable endeavours to assist each other in compliance with any ~~effort~~ obligations under the DPA and neither shall perform its obligations under this Framework Agreement in such a way as to ~~identify individuals who are~~ cause the other to breach any of their obligations under the DPA to the extent the Party in question is aware, or ~~may~~ ought reasonably to have been aware, that the same would be a breach of such obligations. The Parties shall designate a data protection officer if required by the ~~donors~~ Data Protection Legislation. Before allowing any Sub-Processor to process any Personal Data related to this Framework Agreement, the Parties shall: (a) notify the other in writing of the ~~Original Material~~ intended Sub-Processor and ~~may not combine Data or results~~ processing; (b) obtain the written consent of the ~~Project~~ Data Controller; (c) enter into a written agreement with ~~other data~~ the Sub-Processor which give effect to the terms set out in this Clause 21. such that they apply to the Sub-Processor; and provide the Data Controller with such information regarding the Sub-Processor as they may ~~result in identification~~ reasonably require. The Data Processor shall remain fully liable for all acts or omissions of ~~a donor~~any Sub-Processor.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”)~~ 16.1 Each party is a Data Controller of Protected Data and ~~each party will fully~~ shall comply with ~~its respective~~ the obligations imposed on Data Controllers under ~~the General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~Legislation. ~~The parties are independent controllers of their processing operations performed~~ Nothing in these Conditions shall prohibit or otherwise restrict a party from complying with such ~~Personal Data. Taking into account~~ obligations. 16.2 The Data Recipient shall notify the ~~state of~~ Data Discloser: 16.2.1 without undue delay and in any event within seven (7) days upon receiving a subject access or other request from a Data Subject concerning Protected Data disclosed to the ~~art~~Data Recipient, or if the ~~costs of implementation~~ Data Recipient receives any other claim, complaint or allegation relating to Protected Data disclosed to the Data Recipient; and 16.2.2 without undue delay and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in ~~such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider~~ any event within ~~a period of 48~~ forty-eight (48) hours ~~where Recipient becomes~~ upon becoming aware of or ~~reasonably suspects that Personal~~ having reasonable cause to suspect any breach of security leading to the destruction, loss or unlawful disclosure of Protected Data ~~has been~~ disclosed to the Data Recipient, and shall provide all details of the data breach as is required under applicable Data Protection Legislation, and in each case the parties shall co-operate with each other in handling such an event and provide reasonable assistance to the other in the discharging of their respective duties under Data Protection Legislation. 16.3 Each party shall (at its own cost) assist the other in complying with its obligations as Data Controller including by providing reasonable assistance, information and cooperation as required by Data Protection Legislation to the other party and, if appropriate, to Data Subjects. 16.4 The Buyer shall indemnify, keep indemnified, hold harmless and keep held harmless Novartis Gene Therapies and its affiliates against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or ~~may have been lost~~not arising from any investigation by, ~~damaged~~ or ~~subject to unauthorized internal~~ imposed by, a regulator) arising out of or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with any breach by the ~~processing~~ Buyer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective its obligations under ~~Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ this clause 16. 16.5 For the ~~processing~~ purposes of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this clause 16:

Appears in 2 contracts

Sources: Supply Agreement, Supply Contract

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 12.1 For the purposes of this ~~agreement (~~Clause 12, “Personal Data” and “Processing” (and “Process” shall be construed accordingly) shall have the meanings given to them in the Personal Data Protection Act 2012, as may be updated, superseded or replaced from time to time (the “ Act”). 12.2 You acknowledge that We may obtain certain information (including, without limitation, Personal Data), about You (“Your Personal Data”). 12.3 Notwithstanding anything to the contrary, You specifically authorise that We may collect, use, disclose and/or Process Your Personal Data (whether provided electronically or otherwise) to administer these Terms, provide Services to You, including without limitation, monitoring and ~~each~~ analysing the conduct of Your account and enabling Us to carry out statistical and other analysis, and otherwise market Services and products to You in accordance with these Terms. 12.4 You acknowledge and agree that in doing so, We may: (a) transfer or disclose Your Personal Data to any Associated Office or third party ~~will fully comply~~ wherever located in the world, including (without limitation) those who provide services to Us or act as Our agents, those to whom We transfer or propose to transfer any of Our rights or duties under these Terms and those licences, credit reference agencies or other organisations that help Us make credit decisions and reduce the incidence of fraud or in the course of carrying out identity fraud prevention or credit control checks; and (b) transfer information We hold about You to countries located outside of Singapore, where data protection safeguards may not be as high, for any of the purposes described in this Clause 12 and in such instances We shall ensure that adequate safeguards are put into place to protect Your Personal Data. 12.5 To the extent that We Process Your Personal Data, We shall: (a) Process it only for the purposes of complying with ~~its respective~~ Our obligations under these Terms, in accordance with Your reasonable instructions from time to time; and (b) ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful Processing of Personal Data and the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with accidental loss or destruction of, or damage to, such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer . 12.6 If any Personal Data belonging to ~~a territory outside~~ any of Your directors, employees, officers, agents or clients is provided to Us, you represent to Us that each person is aware of and consents to the ~~European Economic Area ("EEA") unless it has taken~~ use of such ~~measures~~ data as ~~are necessary~~ set out in this Clause 12 and You agree to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; indemnify us against any loss, costs or ~~to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make~~ expenses arising out of any ~~effort to identify individuals who are or may be the donors~~ breach of ~~the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~this representation.

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. 13.1 It is agreed and acknowledged by the parties that they each act as Controller for Personal Data relevant to this Agreement. 13.2 The ~~parties acknowledge~~ Council is the Data Controller for the Personal Data that ~~personal data may be transferred~~ it holds and shares with the BID Company under this ~~agreement~~ Agreement as described in Appendix D (“the Council’s Personal Data”) ). Where the BID Company Processes the Council’s Personal Data in performance of this Agreement, the BID Company carries out such Processing as a Data Processor. 13.3 The BID Company is the Data Controller for the Personal Data that it holds and ~~each party will fully comply~~ shares with ~~its respective obligations~~ the Council under this Agreement as described in Appendix E (“the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws~~BID Company’s Personal Data”). Where the Council Processes the BID Company’s Personal Data in performance of this Agreement, the Council carries out such Processing as a Data Processor. 13.4 As Controllers in common the Council and the BID Company agree to share and Process the Personal Data on the terms set out in this clause 13 and the appendices to this Agreement and the parties will comply with all the requirements of the Data Protection Legislation throughout the duration of this Agreement. 13.5 The parties ~~are independent controllers~~ agree that the sharing of ~~their processing operations performed with such~~ Personal ~~Data. Taking into account~~ Data is necessary for the ~~state of the art, the costs of implementation and the nature, scope, context and~~ purposes of ~~processing~~ this Agreement as ~~well as~~ defined in Appendices D and E (“the ~~risk of varying likelihood~~ Agreed Purpose”) and ~~severity~~ they shall not Process Shared Personal Data other than for the ~~rights~~ Agreed Purpose. 13.6 Each party will Process all Personal Data as set out in Appendices D and ~~freedoms of data subjects, Recipient~~ E. 13.7 Each party will ~~maintain~~ implement appropriate technical and ~~organizational~~ organisational measures to (a) prevent: (i) unauthorised or unlawful Processing of the Shared Personal Data; and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and (b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected in such a manner that ~~processing of Personal Data~~ all Processing will meet the requirements of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ Data Protection Legislation and ensure the protection of ~~48 hours where Recipient becomes aware~~ the rights of ~~or reasonably suspects~~ Data Subjects. 13.8 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data. 13.9 Each party in sharing Personal Data ~~has been or may have been lost~~with the other, ~~damaged or subject~~ shall ensure that it provides clear and sufficient information to ~~unauthorized internal or external access or~~ the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 13 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.10 Each party in receiving Personal Data from the other, undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 14 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.11 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation. 13.12 Each party is responsible for maintaining a record of individual requests for information from Data Subjects, the decisions made and any ~~other unlawful processing (a “Security Incident”)~~ information that was exchanged. Records must include copies of the request for information, details of the Data accessed and ~~to take reasonable steps to mitigate the impact~~ shared and where relevant, notes of any ~~such Security Incident. In~~ meeting, correspondence or phone calls relating to the ~~event that Recipient receives (i)~~ request. 13.13 Subject to any ~~request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~statutory or stated retention periods, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall ~~cooperate in good faith as~~ not retain or Process Shared Personal Data for longer than is necessary to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ carry out the ~~processing of~~ Agreed Purpose. 13.14 Any Personal Data ~~identified~~ that has been shared with a party shall, at the direction of the other, disclosing, party be returned or destroyed in the following circumstances: (a) on termination of the Agreement; (b) on expiry of the BID Term; (c) once Processing of the Shared Personal Data is no longer necessary for the Agreed Purpose for which it was originally shared; unless required by ~~Provider. Recipient~~ law to continue to store such Personal Data 13.15 If a party appoints a third party Processor to Process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the other party for any breach, non-performance or non-observance of this clause 13 by such other Processor in the same way and to the same extent as if such breach, non-performance or non-observance had been committed by the appointing party. 13.16 A party may not transfer ~~any~~ Shared Personal Data to a ~~territory~~ third party located outside the EEA unless it; (a) complies with the provisions of Articles 26 of the ~~European Economic Area~~ GDPR (~~"EEA"~~in the event the third party is a joint Controller); and (b) ~~unless it has taken such measures as are necessary to ensure~~ ensures that (i) the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient will not make any effort~~ Commission as providing adequate protection pursuant to ~~identify individuals who are or may be the donors~~ Article 45 of the ~~Original Material and may not combine Data or results~~ GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 of the ~~Project~~ GDPR; or (iii) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 13.17 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and Process the Shared Personal Data in accordance with the technical and organisational security measures together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data. 13.18 Each party shall each comply with its obligation to report a Personal Data Breach to the other without undue delay and (where applicable) Data Subjects under Article 33 of the GDPR. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner, including providing details of the nature of such Personal Data Breach, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, together with details of the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. 13.19 In the event of a dispute or claim brought by a Data Subject concerning the Processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will co-operate with a view to settling them amicably in a timely fashion. 13.20 Each party undertakes to indemnify the other and hold the other harmless from any claims, proceedings, actions, damages, costs, fines, expenses and any other liabilities which may ~~result~~ arise out of, or in ~~identification~~ consequence of a ~~donor~~breach or purported breach of the Data Protection Legislation or the performance or non-performance by that party of its obligations under this Agreement in relation to the Data Protection Legislation, including loss of or damage to property, financial loss arising from any breach of the Data Protection Legislation, or any other loss which is caused directly or indirectly by any act or omission of the Party arising from any breach of the Data Protection Legislation. 13.21 The provisions of this clause 13 shall apply during the Term of this Contract and indefinitely after its expiry.

Appears in 2 contracts

Sources: Bid Levy Operating Agreement, Bid Levy Operating Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ Each Party shall comply with its respective obligations under ~~the General~~ Applicable Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy Laws”)~~shall not do or omit to do anything which would cause the other Party to breach Applicable Data Protection Law. ~~The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ To the ~~state of~~ extent that any personal data is processed by the ~~art~~Supplier under this Agreement, the ~~costs of implementation~~ Supplier shall: process the personal data only in accordance with this Agreement and the ~~nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Customer’s lawful instructions; implement appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of Personal Data will meet~~ to protect the ~~requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ personal data against unauthorised or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other~~ unlawful processing (and against accidental loss, destruction, damage, alteration or disclosure; only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality; remain entitled to appoint third party sub-processors. Where the Supplier appoints a ~~“Security Incident”) and~~ third party sub-processor, it shall, with respect to ~~take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives~~ data protection obligations: (i) ~~any request from a data~~ ensure that the third party is subject ~~to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~to, ~~correction~~and contractually bound by, ~~objection and erasure)~~at least the same obligations as Supplier; and (ii) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ remain fully liable the Customer for all acts and omissions of the third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall party; not transfer ~~any Personal Data to a territory~~ or otherwise process the personal data outside of the European Economic Area ("“EEA"”) ~~unless it~~ without obtaining the Customer's prior written consent; where consent is granted under clause 12.2.5, the Supplier may only process, or permit the processing, of the personal data outside the EEA under the following conditions: (i) the territory has ~~taken such measures as are necessary to ensure~~ the ~~transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to~~ benefit of a ~~country that the~~ European Commission ~~has decided~~ finding that it provides adequate protection for ~~personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws~~the privacy rights of individuals; or (ii) the Supplier has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available; or (iii) the transfer otherwise complies with Applicable Data Protection Law; notify the Customer without delay after becoming aware that it has suffered a personal data breach; at the Customer’s cost, permit the Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier’s data processing activities to enable the Customer to verify and/or procure that the Supplier is complying with its obligations under this clause 12 assist the Customer in responding to requests from data subjects who are exercising their rights under Applicable Data Protection Law; assist the Customer in complying with its obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of Applicable Data Protection Law), comprising (if applicable): (i) notifying a ~~Recipient~~ supervisory authority that the Customer has ~~executed standard contractual clauses adopted or approved~~ suffered a personal data breach; (ii) communicating a personal data breach to an affected individual; (iii) carrying out an impact assessment; and (iv) where required under an impact assessment, engaging in prior consultation with a supervisory authority; and unless applicable law requires otherwise, upon termination of this Agreement delete all personal data provided by the ~~European Commission~~Customer to the Supplier. ~~Recipient will not make any effort to identify individuals who are or may be~~ Each Party acknowledges that the ~~donors~~ factual description of the ~~Original Material and may not combine Data or results~~ subject-matter, duration of the ~~Project with other~~ processing, the nature and purpose of the processing, the type of personal data ~~which may result~~ and the categories of data subjects shall be as set out in ~~identification of~~ this Agreement. To the extent that the foregoing is not set out in this Agreement, the Parties shall keep a ~~donor~~separate record the relevant particulars.

Appears in 2 contracts

Sources: Service Agreement, Service Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ For the purpose of this ~~agreement~~ article 42, "Personal Data" and "Data Controller" shall have the meanings ascribed to them in the UK Data Protection Act 1998 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsDPA”). ~~The parties are independent controllers of their processing operations performed~~ Seller shall ensure that it complies with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all requirements of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ DPA as if Seller were the Data Controller in respect of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ all Personal Data ~~has been~~ provided to Seller by ▇▇▇▇▇, any employee of Buyer, Buyer’s customers, ▇▇▇▇▇’s subcontractors and/or any agent of Buyer pursuant to or ~~may have been lost, damaged or subject~~ relating to ~~unauthorized internal or external access or~~ this Contract. Seller shall not process any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data ~~(including its rights~~ controlled by ▇▇▇▇▇ except in the performance of ~~access~~and for the purpose of this Contract. Furthermore, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient Seller shall not transfer any Personal Data controlled by Buyer to ~~a territory~~ any other entity or outside of the ~~European Economic Area ("EEA") unless it has taken such~~ EEA without the express written consent of Buyer and without the provisions of the DPA and all applicable data protection law having been satisfied. Seller will have in place adequate technical and organizational security measures ~~as are necessary to ensure~~ so that the ~~transfer is in compliance~~ confidentiality of this processing complies with the ~~Privacy Laws~~DPA and all applicable data protection laws and regulations. ~~Such measures may include transferring the Data~~ Seller shall immediately provide Buyer with copies of any and all requests by data subjects or regulatory authorities in relation to ~~a country that the European Commission has decided provides adequate protection for~~ personal data processed pursuant to this Contract, and notice of any and all data breaches or other unlawful processing of personal data; , and shall promptly provide Buyer with any and all assistance that may be required to ~~a Recipient that has achieved binding corporate rules authorization in accordance~~ respond to such requests or breaches. Where such requests relate to ▇▇▇▇▇▇’s failure to comply with ~~Privacy Laws;~~ the DPA or other applicable data protection laws and regulations, then such support and any remediation shall be at Seller’s expense. Where under this Contract personal data needs to ~~a Recipient that has executed standard contractual clauses adopted or approved~~ be exported from the EEA, Seller shall agree to execute such data transfer contracts based upon the model contracts published by the Article 29 Working Party of the European Commission. ~~Recipient will not make~~ Seller shall indemnify, keep indemnified and hold harmless Buyer and ▇▇▇▇▇’s customers from and against all expenses, contingent liabilities, liabilities, injuries, losses, damages, claims, demands, proceedings, judgments and legal costs (on a full indemnity basis) whether arising in tort (including negligence), breach of contract, breach of statutory duty, collaterally or otherwise which Buyer and/or Buyer’s customers incur or suffer arising from breach of this article 42 or any ~~effort~~ model contract entered into by Seller pursuant to ~~identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~it.

Appears in 2 contracts

Sources: Purchase Order, Purchase Contract

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it provides under it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMIL refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of ~~the Privacy Laws. Recipient agrees~~ Applicable Data Protection Laws with respect to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection ~~with~~ with. this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. ~~The parties acknowledge that personal data~~ (a) If and insofar within the scope of this Agreement Personal Data is Processed by Pegasystems on behalf of Customer, Pegasystems shall: (i) Process the Personal Data only in accordance with instructions from the Customer (which may be ~~transferred under~~ specific instructions as are notified by the Customer to Pegasystems during the Term or instructions of a general nature as are set out in this ~~agreement~~ Agreement); (~~“Personal Data”~~ii) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain implement appropriate technical and organizational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the ~~requirements~~ harm and/or reputational damage which might result from any unauthorized or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing~~ and comply with the obligations in this sub-clause; (~~a “Security Incident”~~iii) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure that all Pegasystems staff required to access the ~~impact~~ Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this sub-clause; and (iv) not publish, disclose or divulge any of the Personal Data to any third party except as described below or unless directed in writing to do so by the Customer. (b) Pegasystems will notify Customer in writing if it becomes aware of any breach of Personal Data or any claims in connection with such ~~Security Incident~~breach. ~~In the event~~ Pegasystems shall inform Customer of all actions and measures taken to address such breach and/or claims. (c) Pegasystems will only transfer or provide direct access to Personal Data to Pegasystems’ affiliates and subcontractor that ~~Recipient receives~~ (i) ~~any request from a data subject~~ have agreed in writing to ~~exercise any of its rights under Privacy Laws in relation to~~ process the Personal Data ~~(including its rights~~ consistent with the terms of ~~access, correction, objection and erasure);~~ this Agreement and (ii) ~~any other correspondence, inquiry~~ (A) are located in a jurisdiction subject to Data Protection Legislation or ~~complaint received from a data subject, regulator~~ with privacy laws considered to be adequate by the European Commission or ~~other third party in connection with~~ (B) have entered into the ~~processing~~ EU standard contractual clauses for transfers of Personal Data ~~(collectively~~to non-EU data processors, ~~"Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ set out in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission Decision 2010/87/EC of 5 February 2010, to the extent necessary for Pegasystems to fulfill its obligations to Customer pursuant to this Agreement, unless and until Pegasystems has ~~decided provides adequate protection~~ in place an alternative valid mechanism which is suitable for ~~personal data;~~ this purpose, including but not limited to ~~a Recipient that has achieved~~ binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorfor Processors.

Appears in 2 contracts

Sources: Master Software License, Maintenance & Professional Services Agreement, Master Software License, Maintenance & Professional Services Agreement

Data Protection. 1. Any personal data included in the agreement shall be processed pursuant to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. Such data shall be processed solely for the purposes of the implementation, management and monitoring of the agreement by the Commission, without prejudice to possible transmission to the bodies charged with monitoring or inspection task in application of Union law. 2. The ~~parties acknowledge~~ beneficiary shall have the right of access to his/her personal data and the right to rectify any such data. Should the beneficiary have any queries concerning the processing of his/her personal data, he/she shall address them to the Commission. 3. The beneficiary shall have the right of recourse at any time to the European Data Protection Supervisor. 4. Where the agreement requires the processing of personal data by the beneficiary, the beneficiary may act only under the supervision of the data controller, in particular with regard to the purposes of the processing, the categories of data which may be processed, the recipients of the data, and the means by which the data subject may exercise his/her rights. 5. The beneficiary shall limit access to the data to the staff strictly necessary for the implementation, management and monitoring of the agreement. 6. The beneficiary undertakes to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned in order to: a) prevent any unauthorised person from having access to computer systems processing personal data, and especially: i) unauthorised reading, copying, alteration or removal of storage media; ii) unauthorised data input as well as any unauthorised disclosure, alteration or erasure of stored personal data; iii) unauthorised persons from using data-processing systems by means of data transmission facilities; b) ensure that authorised users of a data-processing system can access only the personal data to which their access right refers; c) record which personal data have been communicated, when and to whom; d) ensure that personal data ~~may~~ being processed on behalf of third parties can be ~~transferred under this agreement (“Personal Data”~~processed only in the manner prescribed by the contracting institution or body; e) ensure that, during communication of personal data and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers transport of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~storage media, the ~~costs of implementation and the nature~~data cannot be read, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures copied or erased without authorisation; f) design its organisational structure in such a ~~manner~~ way that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a it meets data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorrequirements.

Appears in 2 contracts

Sources: Grant Agreement, Grant Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 12.1 For the purposes of this ~~agreement (~~Clause 12, “Personal Data” and “Processing” (and “Process” shall be construed accordingly) shall have the meanings given to them in the Personal Data Protection ▇▇▇ ▇▇▇▇, as may be updated, superseded or replaced from time to time (the “Act”). 12.2 You acknowledge that We may obtain certain information (including, without limitation, Personal Data), about You (“Your Personal Data”). 12.3 Notwithstanding anything to the contrary, You specifically authorise that We may collect, use, disclose and/or Process Your Personal Data (whether provided electronically or otherwise) to administer these Terms, provide Services to You, including without limitation, monitoring and ~~each~~ analysing the conduct of Your account and enabling Us to carry out statistical and other analysis, and otherwise market Services and products to You in accordance with these Terms. 12.4 You acknowledge and agree that in doing so, We may: 12.4.1 transfer or disclose Your Personal Data to any Associated Office or third party ~~will fully comply~~ wherever located in the world, including (without limitation) those who provide services to Us or act as Our agents, those to whom We transfer or propose to transfer any of Our rights or duties under these Terms and those licences, credit reference agencies or other organisations that help Us make credit decisions and reduce the incidence of fraud or in the course of carrying out identity fraud prevention or credit control checks; and 12.4.2 transfer information We hold about You to countries located outside of Singapore, where data protection safeguards may not be as high, for any of the purposes described in this Clause 12 and in such instances We shall ensure that adequate safeguards are put into place to protect Your Personal Data. 12.5 To the extent that We Process Your Personal Data, We shall: 12.5.1 Process it only for the purposes of complying with ~~its respective~~ Our obligations under these Terms, in accordance with Your reasonable instructions from time to time; and 12.5.2 ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful Processing of Personal Data and the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with accidental loss or destruction of, or damage to, such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer . 12.6 If any Personal Data belonging to ~~a territory outside~~ any of Your directors, employees, officers, agents or clients is provided to Us, you represent to Us that each person is aware of and consents to the ~~European Economic Area ("EEA") unless it has taken~~ use of such ~~measures~~ data as ~~are necessary~~ set out in this Clause 12 and You agree to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; indemnify us against any loss, costs or ~~to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make~~ expenses arising out of any ~~effort to identify individuals who are or may be the donors~~ breach of ~~the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~this representation.

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. 12.1 You warrant and confirm to Us that You: (a) are registered under applicable Data Protection Laws; (b) will at all times comply with all applicable provisions of Data Protection Laws and any other applicable legislation relating to personal data; and (c) will immediately inform Us in writing and at Your own cost if You have failed to comply with any provision of applicable Data Protection Laws. 12.2 When You submit an Application to Us under this Agreement, this will constitute Processing personal data. The ~~parties acknowledge~~ purpose of this Clause 12 is to set out the roles that You and We perform in respect of that personal data. 12.3 When You submit an Application to Us, including when You populate an Application, You do so as a controller of the personal data which You collect and process and provide to Us, and You are solely responsible for the processing of that personal data and ensuring that such processing is undertaken in accordance with the requirements of Data Protection Laws. 12.4 You and We shall each be separately and independently responsible under Data Protection Laws for any personal data in respect of which we are a controller while the personal data is in our possession or under our control. We shall, where necessary, cooperate with, and provide reasonable assistance to one another in order to enable each of us to comply with our respective obligations under Data Protection Laws, including (but not limited to): (a) making available to the other party in a timely manner any correspondence from any data subjects or any relevant supervisory authority in relation to the processing of personal data by that party (to the extent that this is legally permitted); and/or (b) to the extent appropriate, informing one another of any Data Security Incident which may impact the other party, in so far as such Data Security Incident involves the personal data which is processed in relation to the Terms. 12.5 You shall ensure that, to the extent that any personal data is to be transferred to Us for the purposes of this Agreement, You will: (a) have a lawful purpose for transferring the personal data to Us, and will have complied with all other necessary lawful requirements to enable the lawful transfer of the personal data to Us. We will receive the personal data as a controller; (b) ensure You have all necessary consents and notices in place to enable the personal data to be transferred to Us lawfully for the purposes of this Agreement; (c) give full information to any Applicant whose personal data may be processed under this Agreement of the nature such processing, including making the Applicant aware of the purposes for which We will process personal data and to whom that personal data may be ~~transferred under~~ disclosed and notifying the Applicant that, on the termination of this ~~agreement~~ Agreement, personal data relating to the Applicant may be retained by Us; (~~“Personal Data”~~d) ~~and each party will fully comply with its respective obligations under~~ process any personal data We provide to You only for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of ~~processing as well as the risk~~ this Agreement and not disclose or allow access to such personal data to anyone who is not subject to written contractual obligations concerning such personal data (including obligations of ~~varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ confidentiality) which are no less demanding than those imposed on You by this Agreement; (e) take appropriate technical and ~~organizational~~ organisational measures to guard against unauthorised or unlawful processing or accidental loss, destruction, damage or alteration or disclosure of such personal data. This shall include where appropriate encryption of and password protected access to all such data whether stored on hard copy or in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access electronic form or any other ~~unlawful processing~~ form whatsoever. Such measures shall be in accordance with good industry practice and all guidance from any Regulatory Authority (~~a “Security Incident”~~including the UK Information Commissioner and the FCA) ~~and~~ from time to ~~take reasonable steps~~ time; (f) restrict access to ~~mitigate the impact~~ such personal data to employees who are required to have it; (g) notify Us immediately of any security breaches relevant to the performance of this Agreement that may result in an unauthorised person gaining access to such ~~Security Incident. In~~ personal data or to a device on which such personal data is held; (h) retain such personal data for no longer than necessary for the ~~event that Recipient receives~~ purpose for which the personal data is processed; (i) not transfer any ~~request~~ personal data received from ~~a data subject to exercise any~~ Us outside the EEA unless You: (i) comply with the provisions of ~~its rights under Privacy Laws in relation to Personal Data (including its rights~~ Article 26 of ~~access, correction, objection and erasure)~~the GDPR; ~~and~~ and (ii) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data~~ ensure that: (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA"A) ~~unless it has taken such measures as are necessary to ensure~~ the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient~~ Commission as providing adequate protection pursuant to Article 45 of the GDPR; (B) there are appropriate safeguards in place pursuant to Article 46 of the GDPR; or (C) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 12.6 We shall be entitled to use any information including personal data supplied by You for the purpose of: (a) considering the Application and any subsequent business from You; (b) administrative purposes including contract management; (c) conducting market research and statistical analysis; (d) informing You about new products, services, and about changes in the terms for existing products; (e) fraud and money laundering prevention; (f) preparing strategic or other marketing plans and gauging product sales,; (g) in connection with any prospective sale or assignment of Our business or part thereof; and (h) for any purpose which is lawful and/or with the Applicant's consent under applicable Data Protection Laws. 12.7 You shall assist Us in complying with all applicable requirements of the Data Protection Laws with respect to the Applicants and, in particular, shall: (a) consult with Us about any notices given to the Applicants in relation to their personal data; (b) promptly inform Us about the receipt of any data subject access request; (c) provide Us with reasonable assistance in complying with any data subject access request; (d) not disclose or release any personal data in response to a data subject access request without first consulting Us wherever possible; (e) assist Us, at our cost, in responding to any request from an Applicant and in ensuring compliance with Our obligations under the Data Protection Laws with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators; (f) at Our written direction, delete or return to Us on termination of this Agreement all personal Data and all copies thereof which You are not required by law to retain; (g) use compatible technology for the processing of personal data to ensure that there is no lack of accuracy resulting from personal data transfers; (h) maintain complete and accurate records and information to demonstrate Your compliance with this Clause 12 and allow Us or Our designated auditor to conduct such audits of Your security measures as We require to ensure Your compliance with this Clause 12; (i) You will ~~not make~~ indemnify Us against all claims and proceedings and all liability, loss, costs and expenses We may suffer or incur as a result of any ~~effort~~ claim made or brought by an Applicant or by any other person in respect of any loss, damage or distress caused to ~~identify individuals who are or~~ them as a result of any breach by You of the Data Protection Laws. 12.8 Any breach of this Clause 12 by You may be ~~the donors~~ a material breach of this Agreement which is not capable of being remedied, irrespective of whether any financial loss or reputational damage arises, and irrespective of the ~~Original Material and~~ level of any financial loss or deprivation of benefit arising, as a consequence of such breach. 12.9 Please note that telephone calls may ~~not combine Data~~ be recorded or ~~results of the Project with other data which may result in identification of a donor~~monitored for security or training purposes.

Appears in 2 contracts

Sources: Intermediary Agreement, Intermediary Agreement

Data Protection. B36.1 Each Party shall comply with their respective duties under the Data Protection Legislation and any successor legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. B36.1 The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ in relation to: B36.1.1 Personal Data processed by the Provider in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and B36.1.2 Personal Data, the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management the Authority and the Provider will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations~~ . B36.2 Where the Authority requires information under clause 9.1.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of the ~~Privacy Laws. Recipient agrees to notify~~ Authority, the Provider ~~within a period~~ shall provide such information in pseudonymised form where possible. B36.3 Schedule 1 sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident. In~~ Processing. B36.4 Each Party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. B36.5 Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (~~including its rights~~ 14) days of ~~access~~written notice from the other Party, ~~correction~~gives grounds to the other Party to terminate this Agreement with immediate effect. B36.6 In relation to the Processing of any Personal Data, ~~objection~~ each Party shall: B36.6.1 ensure that it has all necessary notices and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ consents in ~~connection with the processing~~ place to enable lawful sharing of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ to the ~~parties shall cooperate in good faith as necessary~~ Permitted Recipients for the Agreed Purpose; B36.6.2 give full information to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of~~ any Data Subject whose Personal Data ~~identified by Provider. Recipient shall~~ may be processed under this Agreement of the nature of such Processing; B36.6.3 process the Personal Data only for the Agreed Purpose; B36.6.4 not ~~transfer any~~ disclose or allow access to the Personal Data to ~~a territory outside of~~ anyone other than the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Permitted Recipients;

Appears in 2 contracts

Sources: Contract for the Provision of Public Health Services, Contract for the Provision of Public Health Services

Data Protection. To the extent that the provision of any Service requires the Processing of Personal Data: (a) Each Provider shall comply with, and shall cause its controlled Affiliates and its and their respective employees, agents and subcontractors to comply with, all applicable Laws relating to the Processing of Personal Data (“Data Protection Laws”) in connection with the performance of the Provider’s and Recipient’s obligations under this Agreement. The ~~parties~~ Parties acknowledge that ~~personal data may be transferred~~ the Recipient is the Controller of all Personal Data Processed by the Provider in connection with the performance of the Provider’s and Recipient’s obligations under this ~~agreement~~ Agreement (“~~Personal~~ Recipient Data”) and ~~each party will fully comply with its respective obligations under~~ agree that the ~~General~~ Provider (and any Sub-Processor) may Process Recipient Data ~~Protection Regulation~~ in the course of providing the Services. (~~EU)2016/679 and applicable complementing national laws~~ b) Each Provider shall promptly notify the Recipient (~~jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ as Controller) if the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such Provider receives a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject ~~to exercise~~ under any Data Protection Law in respect of ~~its rights under Privacy Laws in relation to~~ the Processing of Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the ~~processing~~ performance of the Provider’s or Recipient’s obligations under this Agreement; and ensure that the Provider does not respond to that request except on the instructions of the Recipient or as required by applicable Data Protection Law to which the Provider is subject (in which case, the Provider shall, to the extent permitted by applicable Data Protection Law, inform the Recipient of that legal requirement before the Provider responds to the request). (c) Each Provider shall notify the Recipient (as Controller) without undue delay upon the Provider becoming aware of unauthorized access to, or other security breach, affecting the Recipient’s Personal Data and providing the Recipient with sufficient information to allow the Recipient to meet any obligations to report or inform data subjects of the incident as required under the Data Protection Laws. Each Provider shall cooperate with the Recipient and take such reasonable commercial steps as are directed by the Recipient to assist in the investigation, mitigation and remediation of each such incident. (d) Further obligations of the Provider regarding the Processing of Personal Data in connection with the provision of the Services will be mutually agreed between the Parties in a separate Data Processing and Transfer Agreement (~~collectively, "Correspondence"), it shall promptly inform Provider~~ the “DPA”) between the Parties. To the extent there are any conflicts between this Section 3.3 and the ~~parties~~ DPA, the DPA shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorgovern.

Appears in 2 contracts

Sources: Transition Services Agreement (Bausch Health Companies Inc.), Transition Services Agreement (Bausch & Lomb Corp)

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it providesunder it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMILrefers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of ~~the Privacy Laws. Recipient agrees~~ Applicable Data Protection Laws with respect to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection ~~with~~ with, this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇ions under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 2 contracts

Sources: Administration Agreement (Granite Mortgages 03-3 PLC), Administration Agreement (Granite Mortgages 03-3 PLC)

Data Protection. 32.1 The ~~parties acknowledge~~ Grant Recipient warrants and represents that ~~personal data may be transferred~~ it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this ~~agreement~~ Agreement. 32.2 The Grant Recipient undertakes that to the extent that the Grant Recipient and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Agency (“the Agency’s Personal Data”) ~~and each party~~ for the purpose of performing its obligations under this Agreement it will ~~fully~~ at all times comply with ~~its respective obligations under~~ the ~~General~~ provisions of the DPA for the time being in force, including without limitation the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Principles set out in Schedule 1 of the ~~art~~DPA. In particular, the ~~costs of implementation~~ Grant Recipient agrees to comply with the requirements and obligations imposed on the ~~nature, scope, context~~ Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 32.2.1 the Grant Recipient shall at all material times have in place and ~~purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Agency’s Personal Data and any person it authorises to have access to any the Agency’s Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the Agency’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Agency, when performing its obligations under this Agreement on the Agency’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 32.2.2 the Grant Recipient shall only process Personal Data for and on behalf of the Agency for the purpose of performing its obligations under this Agreement in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written instructions from the Agency to ensure compliance with the DPA; 32.2.3 the Grant Recipient shall allow the Agency to audit the Grant Recipient's compliance with the requirements of this Condition 32 on reasonable notice and/or, at the ~~Privacy Laws.~~ Agency’s request, provide the Agency with evidence of the Grant Recipient's compliance with the obligations within this Condition 32. 32.3 The Grant Recipient ~~agrees~~ undertakes not to ~~notify Provider within a period~~ disclose or transfer any of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ the Agency’s Personal Data ~~has been~~ to any third party without the prior written consent of the Agency save that without prejudice to Condition 32.2 the Grant Recipient shall be entitled to disclose the Agency’s Personal Data to employees to whom such disclosure is reasonably necessary in order for the Grant Recipient to performing its obligations under this Agreement, or ~~may have been lost, damaged or subject~~ to ~~unauthorized internal or external access or any other unlawful processing (~~the extent required under a ~~“Security Incident”) and to~~ court order. 32.4 The Grant Recipient shall: 32.4.1 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ Grant Recipient Party who has access to the ~~event~~ Personal Data; 32.4.2 ensure that any Grant Recipient ~~receives (i)~~ Party required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 32; 32.4.3 ensure that none of any ~~request from a data subject to exercise~~ Grant Recipient Party publish, disclose or divulge any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to ~~a territory outside of the European Economic Area ("EEA")~~ any third party unless ~~it has taken such measures as are necessary~~ directed in writing to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Agency;

Appears in 2 contracts

Sources: Framework Delivery Agreement, Framework Delivery Agreement

Data Protection. ~~The parties acknowledge~~ 15.1 Each party shall be responsible for ensuring that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with~~ it fulfills its respective obligations and responsibilities under the ~~General~~ Data Protection ~~Regulation~~ Legislation and any other applicable laws relating to the protection of personal data and the privacy of individuals (~~EU)2016/679~~ all as amended, updated or re-enacted from time to time), or the relevant legislation covering the use of personal data applicable to each party in the jurisdiction in which it is based. This includes, but is not limited to the following: (a) The parties shall agree the appropriate processes and arrangements under which any necessary data sharing and processing is to be carried out in the provision of the Services and Software under this Agreement. For all purposes related to the applicable ~~complementing national laws~~ Data Protection Legislation, the Customer shall be the Data Controller and Simitive a Data Processor as regards such data sharing and processing. (~~jointly~~ b) Simitive shall not transfer any personal data to any country or territory outside the United Kingdom or European Economic Area or other such geographical location as required by the Customer to comply with Data Protection Legislation in the Customer’s jurisdiction. (c) The Customer shall notify Simitive of the identities of the users and the administrators authorised to be users of the Software provided and hosted by Simitive under this Agreement (the “~~Privacy Laws~~Authorised Users”)~~. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ ; (d) Simitive shall enable the ~~state~~ appropriate, agreed access and use of the ~~art~~Simitive Software by such Authorised Users; (e) The Customer is responsible for ensuring that Authorised Users comply with instructions in respect of the use of the Simitive Software, ~~the costs~~ including those relating to access to, processing and protection of ~~implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ personal data. (f) Simitive shall take appropriate technical and ~~organizational~~ organisational measures with the intention of preventing unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) Any Simitive staff with access to the Software shall be subject to appropriate security checks as a condition of their employment and have received appropriate training in data security. (h) Simitive shall provide such assistance as required to enable the Customer to meet its obligations under the Data Protection Legislation in relation to the security of processing, notification of personal data breeches and data protection impact assessments. 15.2 Simitive shall process personal data provided by the Customer only for the following lawful purposes; (a) to perform its duties and obligations under this Agreement; (b) in connection with the provision, implementation, monitoring, operation, evaluation and support of the Simitive Software; (c) to manage its provision of the Simitive Software and Services; (d) to carry out statistical analysis; (e) for administration, accounting, and archival purposes; 15.3 The parties agree that they will use reasonable endeavours to ensure that they do not, and do not cause the other Party to, breach the Data Protection Legislation (or other equivalent and applicable legislation in any jurisdiction in which a ~~manner that processing~~ party is based) by their acts or omissions. 15.4 Simitive will delete or destroy all personal data supplied by the Customer within 3 months of the date of termination or otherwise end of the term of this agreement. Deleted content may persist in backup copies for up to one year, but will be encrypted and not available to third parties. 15.5 The Purpose of Processing is to allow the Customer to use the Simitive Software. 15.6 The Type of Personal Data will ~~meet~~ include names, email addresses, job titles, employment commencement and end dates. If chosen by the ~~requirements~~ Customer it may also include Gender, Ethnicity or other such characteristics as required by the Customer to enable the statistical reporting. 15.7 Categories of Data Subjects will be employees or former employees of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCustomer.

Appears in 2 contracts

Sources: Services Agreements, Services Agreements

Data Protection. 22.1 In relation to any Processing of Disclosed Data undertaken by the Supplier on behalf of the University pursuant to the Contract, the University and the Supplier acknowledge that, for the purposes of Data Protection Law, the University is the Data Controller and the Supplier is the Data Processor of such Disclosed Data. 22.2 The ~~parties acknowledge~~ Parties agree that ~~personal~~ the Supplier may only process Disclosed Data on and in the Supplier or the Supplier’s Sub-Contractors’ data centres in the United Kingdom and the Disclosed Data may not be ~~transferred under this agreement (“Personal Data”)~~ stored, transferred, located or otherwise processed outside of such area. Neither the Supplier nor any of its Sub-Contractors are entitled to transfer any the Disclosed Data outside of the United Kingdom without the University’s prior written consent. 22.3 The Supplier warrants and ~~each party will fully comply~~ undertakes that it is solely responsible for ensuring that the Disclosed Data is processed by it in accordance with the Data Protection Law from the date that it is received from the University. 22.4 The Supplier undertakes to the University that it shall use the Disclosed Data only for purposes necessary for the performance of its ~~respective~~ obligations under the ~~General~~ Contract and only in accordance with the instructions given from time to time by the University. 22.5 The Supplier shall (and shall procure that any of the Supplier's Personnel involved in the provision of the Contract shall) comply with any notification requirements under Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy~~ both Parties shall duly observe all their obligations under Data Protection Laws~~”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party which arise in connection with the ~~processing~~ Contract. Supplier’s Personnel 22.6 The Supplier will ensure that access to the Disclosed Data is limited to: (a) Supplier’s Personnel who need access to the Disclosed Data to meet the Supplier's obligations under the Contract (the “Relevant Employees”); and (b) in the case of ~~Personal~~ any access by any of the Supplier’s Personnel, such part or parts of the Disclosed Data as is strictly necessary for performance of said Supplier’s Personnel duties. 22.7 The Supplier will ensure that its Relevant Employees: (~~collectively, "Correspondence"), it shall promptly inform Provider~~ a) only Process Disclosed Data to the extent permitted by the Contract; (b) are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature; (c) have undertaken training in Data Protection Law; and (d) are aware of the Supplier's obligations under such Data Protection Law and the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request~~Contract. 22.8 Without affecting the generality of clause 22.7, ~~Recipient shall restrict~~ the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Supplier will take appropriate steps to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make reliability of any ~~effort to identify individuals who are or may be the donors~~ of the ~~Original Material and may not combine Data or results of~~ Supplier's Personnel who have access to the ~~Project with other data which may result in identification of a donor~~Disclosed Data.

Appears in 2 contracts

Sources: Purchase Agreement, Standard Terms and Conditions

Data Protection. ~~The~~ 8.1 Both parties ~~acknowledge that personal data may be transferred~~ will comply with all applicable requirements of the Data Protection Legislation. This clause Error! Reference source not found. is in addition to, and does not relieve, remove or replace, a party’s obligations under ~~this agreement (“Personal Data”) and~~ the Data Protection Legislation. 8.2 Without prejudice to the generality of clause 8.1, each party will ~~fully comply~~ ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its ~~respective~~ obligations under this agreement: 8.3.1 process Personal Data in respect of which the ~~General~~ other party (“Controller Party”) is Data ~~Protection Regulation~~ Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (~~EU)2016/679 and applicable complementing national laws (jointly~~ “~~Privacy~~ Applicable Laws”). ~~The parties are independent controllers~~ Where the Processor Party is relying on laws of ~~their~~ a member of the European Union or European Union law as the basis for processing ~~operations performed with such~~ Personal Data~~. Taking into account the state of the art~~, the ~~costs~~ Processor Party shall promptly notify the Controller Party of ~~implementation and~~ this before performing the ~~nature, scope, context and purposes of~~ processing ~~as well as~~ required by the ~~risk of varying likelihood and severity for~~ Applicable Laws unless those Applicable Laws prohibit the ~~rights and freedoms of data subjects, Recipient will maintain~~ Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring confidentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data ~~(including its rights~~ can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of ~~access, correction, objection~~ the technical and ~~erasure~~organisational measures adopted by it)~~; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ confidential; and 8.3.4 not transfer any Personal Data ~~to a territory~~ outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: (~~"EEA"~~a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it ~~has taken such measures as are necessary~~ is a Legal Requirement to ~~ensure~~ store the ~~transfer is in~~ Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause Error! Reference source not found.. 8.4 For processing of Personal Data in connection with this Agreement: the ~~Privacy Laws~~duration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant contact details, employees of the Company and any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. ~~Such measures may include transferring~~ The Consultant confirms that they will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.] 8.6 The Consultant will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant or a Substitute of the Data ~~to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Appears in 2 contracts

Sources: Consultancy Agreement, Consultancy Agreement

Data Protection. 16.1 The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. 16.2 Where the Provider is Processing Personal Data under or in connection with this Framework Agreement, the Provider must, in particular, but without limitation: 16.2.1 only Process such Personal Data as is necessary to perform its obligations under this ~~agreement (“~~Framework Agreement, and only in accordance with any instructions given by the Authority under this Framework Agreement; 16.2.2 put in place appropriate technical and organisational measures against any unauthorised or unlawful Processing of that Personal Data”) , and ~~each party will fully comply with its respective obligations under~~ against the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ accidental loss or destruction of ~~their processing operations performed with~~ or damage to such Personal Data~~. Taking into account~~ , the state of ~~the art, the costs of implementation~~ technical development and the ~~nature, scope, context and purposes~~ level of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such~~ harm that may be suffered by a ~~manner that processing of~~ Data Subject whose Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ is affected by unauthorised or ~~reasonably suspects that Personal Data has been~~ unlawful Processing or ~~may have been lost~~by its loss, ~~damaged~~ damage or ~~subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to~~ destruction; 16.2.3 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of Staff who will have access to Personal Data, and ensure that those Staff are aware of and trained in any relevant policies and procedures. 16.3 The Provider and the Authority shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). 16.4 Where any Personal Data is Processed by any subcontractor of the Supplier in connection with this Framework Agreement, the Provider shall procure that such ~~Security Incident. In~~ subcontractor shall comply with the ~~event that Recipient receives~~ relevant obligations set out in Clause 16 of this Framework Agreement, as if such subcontractor were the Provider. 16.5 The Provider shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (~~i) any request~~ including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from ~~a data subject to exercise any of its rights under Privacy Laws in relation~~ the Provider’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Framework Agreement.

Appears in 1 contract

Sources: Framework Agreement

Data Protection. 14.2.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ Parties must comply with ~~its respective~~ Data Protection Legislation, Data Guidance, the FOIA and the EIR, and must assist each other as necessary to enable each other to comply with these obligations. 14.2.2 Without prejudice to the generality of clause 14.2.1, the Recipient must ensure that all Personal Data processed by or on behalf of the Recipient in the course of delivering the Project is processed in accordance with the relevant Parties’ obligations under ~~the General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”)~~Data Guidance. The ~~parties are independent controllers~~ Recipient shall: (a) process Personal Data only on the written instructions of ~~their processing operations performed with such~~ the Council, unless the Recipient is required by Domestic Law to otherwise process the Personal Data. ~~Taking into account~~ Where the ~~state of~~ Recipient is so required, it shall promptly notify the ~~art~~Council before processing the Personal Data, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain unless prohibited by Domestic Law; (b) ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data ~~will~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) not transfer any Personal Data outside of the UK unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Recipient has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject has enforceable rights and effective remedies; (iii) the Recipient complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Recipient complies with the reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (d) notify the Council as soon as reasonably practicable if it receives: (i) a request from a Data Subject to have access to that individual’s Personal Data; (ii) a Right of Access, Rectification or Erasure Request; (iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) at the Recipient’s expense, assist the Council in responding to any request from a Data Subject and in ensuring compliance with the Council’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) at the written direction of the Council, delete or return Personal Data and copies thereof to the individual on termination or expiry of this Agreement unless required by the Applicable Laws to store the Personal Data; (g) maintain complete and accurate records and information to demonstrate its compliance with this clause 14.2 and allow for audits by the Council or the Council’s designated auditor 14.2.3 Where the Council requires information for the purposes of quality management, the Recipient must consider whether the Council’s request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the ~~Privacy Laws.~~ Council, the Recipient ~~agrees to notify Provider within a period of 48 hours~~ must: (a) provide such information in pseudonymised form where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)possible; and in any event (iib) ~~any other correspondence, inquiry or complaint received from~~ ensure that there is a ~~data subject, regulator or other third party in connection with~~ legal basis for the ~~processing~~ sharing of Personal ~~Data (collectively, "Correspondence"), it shall promptly inform Provider and~~ Data. 14.2.4 If the ~~parties shall cooperate in good faith as necessary~~ Recipient is to ~~respond~~ engage any sub-contractor or sub-consultant to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer deliver any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results part of the Project (other than as a Data Processor) and the sub-contractor or subconsultant is to access personal or confidential information or interact with individuals, the Recipient must impose on it obligations that are no less onerous than the obligations imposed on the Recipient by this clause 14.2. 14.2.5 The Recipient shall indemnify the Council against any Losses incurred by the Council arising from, or in connection with, any breach of the Recipient’s obligations under this clause 14.2. 14.2.6 Notwithstanding any other ~~data~~ provision of this Agreement, where the Recipient commits a Personal Data Breach which under Data Protection Legislation must be notified to the Information Commissioner and/or to an individual the Council may ~~result in identification of a donor~~terminate this Agreement with immediate effect.

Appears in 1 contract

Sources: Grant Funding Agreement

Data Protection. ~~The~~ 12.1 Both parties will comply with the applicable requirements of the Data Protection Legislation. 12.2 Each party shall only process Personal Data for the purposes of complying with and for the duration of this agreement, unless a party is permitted or required to keep the Personal Data for a longer period by law. 12.3 Where a party is processing Personal Data on behalf of the other, the parties acknowledge that ~~personal data may be transferred under this agreement (“~~the party processing Personal ~~Data”) and each party will fully comply with its respective obligations under~~ Data is the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Processor and the ~~nature, scope, context and purposes~~ other party is the Controller. Both parties shall ensure that they each hold a record of processing as ~~well~~ required by the Data Protection legislation. 12.4 Where a party is acting as Controller it will ensure that it has the ~~risk~~ necessary consents or can comply with another processing condition contained within the Data Protection Legislation and that it has the appropriate notices and privacy policies in place to enable the lawful transfer of ~~varying likelihood and severity~~ Personal Data to the Processor for the ~~rights~~ duration of the Agreement and ~~freedoms~~ for the purposes of ~~data subjects, Recipient will maintain~~ the processing as detailed in this Agreement 12.5 Where a party is acting as Processor it shall: a) act only on the Controller’s written instructions; b) have in place appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that~~ against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data. Such measures shall be appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing; c) ensure any staff who have access to the Personal Data are obliged to keep it confidential; d) assist the Controller (at the Processor’s own cost) to respond to an individual’s request to enforce their rights of subject access, rectification, erasure and any other rights conferred by the Data Protection Legislation; e) assist the Controller (if requested and at the Processor’s own cost) with respect to security, breach notifications, impact assessments and any investigations by a supervisory authority; f) notify the Controller without undue delay in the event of a data security breach and where acting as a Processor shall assist with any investigation g) maintain and keep up to date the data processing record referred to above; h) delete or return all personal data to the Controller as requested at the end of the ~~Privacy Laws. Recipient agrees~~ agreement (unless already deleted in line with the Controller’s retention policy); and i) submit to ~~notify Provider within~~ audits and inspections and provide the Controller with whatever information it needs to ensure that both parties are complying with their obligations under the Data Protection Legislation and inform the Controller immediately if asked to do something that is likely to infringe the Data Protection Legislation or other law of the UK, EU or a ~~period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ member state j) only process Personal Data ~~has been~~ relevant to this agreement from the relevant categories of individuals listed below: 1. Controller’s staff (and, in the case of the Council, its members) 2. Members of the public 3. Controller’s customers 4. Controller’s contractors or ~~may have been lost, damaged~~ other suppliers k) not appoint a third-party sub-processor without the prior written consent of the Controller. The Processor shall ensure that any third-party processor will enter into an agreement incorporating the same or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws substantially similar terms contained herein in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Protection Legislation

Appears in 1 contract

Sources: Operating Agreement

Data Protection. 5.1 Licensee shall handle the Licensed Data in accordance with this Agreement and Applicable Legislation. 5.2 The Licensee represents that Licensee to its best knowledge provided the information in the Data Access Request Form, among others, the possible access to the Licensed Data by public authorities, such as intelligence services, in the country where the Licensee is established and shall inform ▇▇▇▇▇▇▇ promptly in the event of any change of the information as provided in the Data Access Request Form. 5.3 [The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and also agree to take ~~reasonable steps~~ the measures that ▇▇▇▇▇▇▇ Medical Foundation in its sole discretion deems appropriate to ~~mitigate~~ be taken to ensure continued compliance with the ~~impact of any such Security Incident. In~~ Applicable Legislation in the event that ~~Recipient receives (i) any request from a data subject to exercise any of its rights~~ the adequacy decision under ~~Privacy Laws in relation to Personal Data (including its rights of access~~the GDPR, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted ~~or approved~~ by the European Commission~~. Recipient will~~ , would expire, be withdrawn, invalidated or amended.] 5.4 The Licensee shall ensure that adequate technical and organisational measures have been taken (including but not ~~make any effort~~ limited to ~~identify individuals who are or may be the donors~~ encryption of the ~~Original Material~~ Licensed Data at rest and ~~may not combine~~ in transit) and shall be maintained in accordance with Applicable Legislation, in order to protect the Licensed Data from (accidental) unauthorized access or ~~results~~ disclosure, loss, alteration or destruction of the ~~Project with~~ Licensed Data, in particular by public authorities in the country where Licensee is established and elsewhere. 5.5 The Licensee warrants and represents that: (i) Licensee shall not create (or allow to be created) and maintain any back doors or similar programming in the adequate technical and organisational measures taken by the Licensee as provided for in clause 5.4 that could be used by public authorities or other third parties to access the Licensed Data, nor purposefully create of change its business processes in a manner that facilitates such access to the Licensed Data; (ii) no local legislation or government policy applicable to Licensee requires the Licensee to create or allow any back doors or similar programming in the adequate technical and organisational measures taken by the Licensee as provided for in clause 5.4 that could be used by public authorities or other third parties to access the Licensed Data or, in case the Licensed Data are encrypted by the Licensee, to hand over the encryption key to public authorities or other third parties; (iii) it has in place adequate standard operating procedures governing orders or requests from public authorities to access personal data processed by the Licensee, which ~~may result~~ will apply to the Licensed Data. 5.6 The Licensee shall inform ▇▇▇▇▇▇▇ promptly in ~~identification of a donor~~the event that the Licensed Data have been (accidentally) accessed by or disclosed to an unauthorized person or party, lost, altered or destructed. 5.7 Parties agree that the Licensed Data shall be accessed by Licensee and subsequently accessed, held, kept, analysed and further used by Licensee only at and from the Licensee in Click or tap here to enter text., Click or tap here to enter text. and/or Google Cloud Platform server(s) within the European Union. [IN CASE OF A

Appears in 1 contract

Sources: License Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 18.1 For the purposes of this ~~agreement (“Personal Data”) and each party will fully comply~~ Agreement, the terms with ~~its respective obligations under~~ a first capitalized letter shall have the ~~General~~ meaning given to them in the Data Protection ~~Regulation (EU)2016/679~~ Legislation or any Applicable Laws. This Section is applicable only in relation to any Personal Data processed by either Party in connection with, and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ pursuant to this Agreement. 18.2 To the ~~state~~ extent the conclusion and execution of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that present Agreement entails processing of Personal Data ~~will meet~~ within the ~~requirements~~ meaning of the ~~Privacy Laws~~Data Protection Legislation, Polestar and VCFSUK to comply with applicable Data Protection Legislation. 18.3 For the avoidance of doubt, the present Agreement will not entail processing of Personal Data by any Party as processor to the other Party within the meaning of the Data Protection Legislation. 18.4 Polestar and VCFSUK acknowledge that both Parties may process Personal Data in their respective capacity as independent Controllers for the purpose of, or in connection with (i) the purpose of this Agreement, the execution of the Customer Agreements (in this Section 18 referred to as the “Purposes”), (ii) Applicable Law (such as anti-money laundering or anticorruption, tax audit or financial sector related law and regulations); (iii) requests and communications from competent authorities (such as courts, regulators, tax authorities or other public authorities) in strict observance of the lawful basis given by Data Protection Legislation for the performed processing. 18.5 The Parties agree that the cooperation contemplated hereunder can only be effectively operated if processes are IT-based. ~~Recipient agrees~~ The Parties further acknowledge that they shall make use of their respective current IT systems and have decided that each Party makes the minor necessary adjustment to ~~notify Provider~~ their IT systems in order to exchange data and communicate with each other. Each Party therefore undertakes to adapt at its own costs (but only to the extent such costs are reasonable), where necessary, its IT Systems in order to enable the electronic communication and data transfer and exchange on the Commencement Date of wholesale financing for the purpose of Wholesale Finance and on the commencement date of retail finance for the purposes of Retail Finance at the latest. If the IT-implementation deadline falls behind the relevant commencement date, the Parties will put in place an interim solution, where the invoicing and payment routines shall be handled by normal paper invoices instead of electronic data transfer within a such interim period. The exact service levels during such interim period ~~of 48 hours where Recipient becomes aware of or reasonably suspects~~ shall be defined in detail between the Parties. 18.6 To the extent permitted by Data Protection Legislation, Polestar and VCFSUK further acknowledge that Personal Data ~~has been~~ collected for the Purposes, may be disclosed to, Parties’ Affiliates and their relevant service provider, each Party’s service providers and competent authorities for one or more of the Purposes. Personal Data may ~~have been lost~~also be disclosed to, ~~damaged or subject~~ and processed by, other third party subprocessors to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ the extent reasonably necessary in connection with the Purposes and ~~to take reasonable steps to mitigate~~ permitted hereunder. Each Party remains responsible at all times for the ~~impact~~ performance of ~~any such Security Incident.~~ the Affiliates’ and third party subprocessors’ obligations in compliance with the terms of this Article and applicable Data Protection Legislation. 18.7 In the event ~~that Recipient receives (i) any request from a data subject to exercise any~~ where the processing and disclosure of ~~its rights under Privacy Laws in relation to~~ Personal Data ~~(including its rights~~ referenced in this paragraph may involve the transfer of ~~access~~Personal Data to countries outside of the European Economic Area such transfer should only take place on the basis of a European Commission adequacy decision, ~~correction~~standard data protection clauses, ~~objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator~~ approved code of conduct or other ~~third party in connection with~~ transfer mechanism provided by the Data Protection Legislation. 18.8 The Parties hereby acknowledge that any Data Subject — within the meaning of the Data Protection Legislation—whose Personal Data are being processed under the Agreement has a right to be informed and to object to the processing of Personal Data (~~collectively, "Correspondence"~~in which case the Parties may not be able to perform their obligations deriving from this Agreement), it to access, free of charge, Personal Data, a right to request their rectification as well as all rights of individual Data Subjects provided in Data Protection Legislation. Such request may be addressed to one or the other of the Parties. Therefore, in case a request is addressed to one Party that should necessitate action of the other Party, the former shall promptly ~~inform Provider~~ notify the other for VCFSUK at ▇▇▇@▇▇▇▇▇▇.▇▇▇ and ~~the parties shall cooperate in good faith~~ for Polestar at ▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇. The Parties agree to provide reasonable assistance as is necessary to ~~respond~~ each other to ~~such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request~~enable them to provide, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the ~~Privacy Laws. Such measures may include transferring~~ Data Protection Legislation, the appropriate reply to Data Subject requests and to respond to any other queries or complaints from Data Subjects or any Data Protection Authority. 18.9 Each Party shall ensure and warrant that any Personal Data collected and provided to the other Party for the purpose and execution of the Agreement have been collected lawfully, fairly and in a transparent manner so as to enable such Personal Data to ~~a country~~ be processed by each Party and the other parties referenced in this present clause for all of the Purposes. The Parties will ensure that the ~~European Commission has decided provides adequate protection~~ Parties’ privacy notices are brought to the attention of the relevant Data Subjects and, where necessary, the Parties will provide or procure each other with all evidence as to the information of individual Data Subjects whose Personal Data will be processed for ~~personal data;~~ the Purposes, as may be reasonably requested by each of the Parties. The Parties shall not collect more Personal Data than is strictly necessary for the Purposes. The Parties shall not retain or process Personal Data for longer than is necessary to carry out the Agreement or the Customer Agreements. 18.10 Each Party shall inform the other as soon as possible of any significant change in Personal Data collected and to supplying one another upon request with any additional information such Party deems useful to the maintenance of a ~~Recipient~~ relationship between them and/or required by Applicable Laws or regulation. The refusal to communicate such data to any Party and the denial of any Party’s recourse to data processing techniques, notably in respect of information technology, when this is left to the other Party’s discretion, would be an impediment to the creation of a relationship or the maintenance of an existing relationship between the Parties. 18.11 Having considered the applicable Data Protection Legislation and guidance, the Parties have in place their own policies that ~~has achieved binding corporate rules authorization~~ must be followed in the event of a data security reach. Parties are under a strict obligation to notify any actual destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data to their respective point of contact as detailed in Section 18 as soon as possible and, in any event, within forty-eight (48) hours of identification of destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data, in order to enable the Parties to consider what action is required in order to resolve the issue in accordance with ~~Privacy Laws; or~~ the applicable Data Protection Legislation. The Parties agree to ~~a Recipient that has executed standard contractual clauses adopted or approved by~~ provide reasonable assistance as is necessary to each other to facilitate the ~~European Commission~~handling of any data security breach in an expeditious and compliant manner. ~~Recipient will not make any effort to identify individuals who are or may~~ Such notification shall be ~~the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~considered as Confidential Information.

Appears in 1 contract

Sources: Finance Cooperation Agreement (Polestar Automotive Holding UK LTD)

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to each Party shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact of~~ Data Protection Legislation and any obligations it may have under such ~~Security Incident~~Data Protection Legislation and shall comply with such obligations. ~~In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Where either Party is Processing Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry~~ under or ~~complaint received from a data subject, regulator or other third party~~ in connection with this contract as a Processor, the ~~processing~~ Parties shall comply with the Data Protection Protocol. Where the Parties are both Processing Personal Data under or in connection with this contract as Controllers, the Parties shall set out their rights and responsibilities in respect of such Personal Data in a document based on the model data sharing agreement at 0. The provisions of this paragraph 0 are additional to those set out in the Data Protection Protocol. Without prejudice to the generality of paragraph 0, when acting as a Controller HEE shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data ~~(collectively~~to the Provider for the duration and purposes of this contract. Without prejudice to the generality of paragraph 0, ~~"Correspondence"), it shall promptly inform~~ when acting as a Controller in connection with this contract the Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall shall: not transfer any Personal Data ~~to a territory~~ outside of the ~~European Economic Area~~ UK without the prior written consent of ▇▇▇; assist ▇▇▇ in responding to any request from a Data Subject to exercise their rights under the Data Protection Legislation and responding to consultations and inquiries from the Information Commissioner’s office or any other regulator; notify HEE without undue delay on becoming aware of a Data Loss Event; and ensure that all personnel who have access to or process Personal Data in connection with this contract are obliged to keep the personal data confidential When acting as a Controller, the Provider must obtain the prior written consent of ▇▇▇, such consent not to be unreasonably withheld or delayed, prior to appointing any third party as a processor of Personal Data under this contract. The Provider and HEE shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (~~"EEA"~~if transferred electronically) ~~unless it has taken such measures as are necessary~~ only transferring Personal Data (a) if essential, having regard to ~~ensure~~ the purpose for which the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data to a country~~ conducted; and (b) that ~~the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ is encrypted in accordance with ~~Privacy Laws~~any international data encryption standards for healthcare, and as otherwise required by those standards applicable to HEE under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this contract, either Party is Processing Personal Data relating to Learners as part of the Services, that Party shall: complete and publish an annual information governance assessment using the Data Security & Protection Toolkit (▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇.▇▇); meet the standards in the relevant NHS Data Security & Protection Toolkit; nominate an information governance lead able to communicate with that Party’s board of directors or equivalent governance body, who will be responsible for information governance and from whom that Party’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; in addition to ~~a Recipient that has executed standard contractual clauses adopted or approved~~ the requirements of the Data Protection Protocol, report all incidents of data loss and breach of confidence in accordance with applicable Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines (which can be provided to the Provider by the ~~European Commission. Recipient will not make~~ HEE on request); put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies rigorously; put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this contract; at all times comply with any ~~effort to identify individuals who are or~~ information governance requirements and/or processes as may be set out in the ~~donors~~ Service Specification; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Provider by HEE from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Subject to clause 14, the ~~Original Material~~ Provider shall indemnify and ~~may~~ keep ▇▇▇ indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Provider’s unlawful or unauthorised Processing (whether in breach of this contract or the Data Protection Legislation) or the destruction inaccessibility and/or damage to Personal Data for which the Provider is responsible in connection with this contract. The requirements of this paragraph 0 are in addition to, and do not ~~combine~~ relieve, remove or replace, a Party’s obligations or rights under the Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 1 contract

Sources: NHS Education and Training Contract

Data Protection. The ~~parties acknowledge~~ Data Protection Legislation 2018 applies where applicable. For the purposes of these terms, the type of Personal Data being processed, the categories of Data Subjects and the nature and purpose of the Processing is/are those required for the Supplier to perform the services in agreement with the Buyer. The Supplier will agree as part of these terms to the confidentiality of any Personal Data that ~~personal data~~ may ~~be transferred under this agreement (“~~present itself in the undertaking of the services with the Buyer. The Supplier shall: process the Buyer’s Personal Data only to the extent necessary for the purpose of providing the Services and in accordance with the Buyer's written instructions implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to ensure a level of security appropriate to the risks that are presented by such Processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Buyer’s Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking , taking into account the state of the art, the costs of ~~implementation and~~ implementation, the nature, scope, context and purposes of ~~processing as well as~~ Processing and the ~~risk of varying~~ likelihood and severity ~~for~~ of risk in relation to the rights and freedoms of ~~data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner~~ the Data Subjects; ensure that ~~processing of~~ any employees or other persons authorised to Process the Buyer’s Personal Data ~~will meet~~ are subject to appropriate obligations of confidentiality; on request by the ~~requirements~~ Buyer’s and taking into account the nature of the ~~Privacy Laws. Recipient agrees~~ Processing and the information available to ~~notify Provider within a period~~ the Supplier, assist the Buyer in ensuring compliance with its obligations under Articles 32 to 36 of ~~48 hours~~ the GDPR (where ~~Recipient becomes aware~~ applicable) in respect of ~~or reasonably suspects that~~ the Buyer’s Personal Data; not transfer the Buyer Personal Data ~~has been~~ to a Third Country or ~~may have been lost~~to an International Organisation without the prior written consent of IPSA – The Buyer; not engage any third party to carry out its Processing obligations under this Contract without obtaining the prior written consent of the Buyer and, ~~damaged or~~ where such consent is given, procuring by way of a written contract that such third party will, at all times during the engagement, be subject to ~~unauthorized internal or external access or any other unlawful~~ data processing ~~(a “Security Incident”) and~~ obligations equivalent to ~~take reasonable steps to mitigate~~ those set out in this Schedule; notify the ~~impact of any such Security Incident. In the event that Recipient receives (i)~~ Buyer, as soon as reasonably practicable, about any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a ~~data subject~~Data Subject (without responding to that request, ~~regulator or other third party~~ unless authorised to do so by the Buyer and assist the Buyer by technical and organisational measures, insofar as possible, for the fulfilment of the Buyer’s obligations in ~~connection with~~ respect of such requests and complaints; notify the ~~processing~~ Buyer without undue delay on becoming aware of a Personal Data ~~(collectively~~breach; on request by the Buyer, ~~"Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as~~ make available all information necessary to ~~respond~~ demonstrate the Buyer 's compliance with this Schedule and on reasonable advance notice in writing otherwise permit, and contribute to, audits carried out by the Buyer (or its authorised representative) with respect to the Buyer’s Personal Data; on termination or expiry of this Contract, destroy, delete or return (as the Buyer directs) all Buyer Personal Data and delete all existing copies of such ~~Correspondence~~ data unless required by law to keep or store such Buyer Personal Data. The Supplier warrants that in carrying out its obligations it will not breach the Data Protection Legislation 2018 or do or omit to do anything that might cause the Buyer to be in breach of the Data Protection Legislation 2018. The Supplier shall indemnify and ~~fulfill their respective~~ keep indemnified the IPSA against all costs, claims, damages or expenses incurred by the Buyer or for which the Buyer may become liable due to any failure by the Supplier to comply with its obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis clause.

Appears in 1 contract

Sources: Purchase Order Terms and Conditions

Data Protection. 8.1. The ~~parties acknowledge~~ Party agree that ~~personal data may be transferred~~ to the extent that the Information provided to the Receiving Party comprises any Personal Data (as defined under ~~this agreement (“Personal Data”)~~ the Irish Data Protection Acts 1988 and ~~each party will fully comply with its respective obligations under~~ 2003 modified or consolidated or, the General Data Protection Regulation (~~EU)2016/679~~ EU) 2016/679 of the European Parliament and ~~applicable complementing national laws~~ the Council of 27 April 2016 (~~jointly~~ the “~~Privacy~~ GDPR”) as may be amended, re-enacted or re- instated from time to time and any implementing legislation (together, the “Data Protection Laws”)) any such Personal Data which the Disclosing Party, supplies or discloses to the Receiving Party pursuant to this Agreement and / or otherwise in relation to the Property, shall be treated as set out in this Clause 8. 8.2. The ~~parties are independent controllers~~ Party acknowledge that the Receiving Party may transfer Personal Data to its Affiliates. In such a case, the Receiving Party shall be directly liable for the observance and proper performance (and any omissions in that regard) by those of ~~their processing operations performed with such~~ its Affiliates who have received Personal ~~Data. Taking into account the state~~ Data of the ~~art, the costs~~ terms and conditions of ~~implementation~~ this Agreement and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ in particular this Clause 8. 8.3. The Receiving Party confirms that it has appropriate technical and ~~organizational~~ organisational measures required to protect against unauthorised access to, or accidental or unauthorised destruction, loss, alteration or disclosure of any Personal Data contained in ~~such a manner~~ the Confidential Information. 8.4. The Personal Data shall remain at all times the property of and in the ownership of the Disclosing Party (as applicable) and the Receiving Party shall have no rights whatsoever in respect thereof. 8.5. The Receiving Party warrants and undertakes that ~~processing~~ it shall: (a) at its own cost comply with the Data Protection Laws and all other applicable data protection laws and guidance including (without limitation) applicable laws relating to accessing, use and onward disclosure, distribution, exporting, archiving, maintenance and storage of Personal Data ~~will meet~~ and with the ~~requirements~~ terms of this Agreement and process the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been or may have been lost, damaged or subject~~ only to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party extent strictly necessary in connection with discussions relating to the ~~processing~~ Property or any related proposed transaction and in accordance with the Disclosing Party’s instructions from time to time; (b) subject to Clause 8.12, not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Disclosing Party; (c) implement and maintain such technical and organisational security measures as may be required to comply with the applicable Disclosing Party’s data security obligations in the Data Protection Laws; (d) other than transfers of Personal Data ~~(collectively~~to the Disclosing Party or to other third parties specified by the Disclosing Party, ~~"Correspondence"), it~~ shall ~~promptly inform Provider and~~ not under any circumstances transfer the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory~~ outside of the European Economic Area unless authorised in writing to do so by the Disclosing Party; and (~~"EEA"~~e) enter into such other written agreement in respect of the processing or transfer of Personal Data as a Disclosing Party may require. 8.6. Upon expiry or termination of this Agreement, or upon the earlier written request of a Disclosing Party, the Receiving Party shall cease Processing the Personal Data and as soon as possible thereafter, delete from its systems, the Personal Data and any copies of it or of the information it contains unless ~~it has taken~~ on or prior to the cessation of the period of the Agreement the Disclosing Party requests in writing the return of such ~~measures~~ Personal Data as ~~are necessary~~ an alternative to ~~ensure~~ this deletion requirement. The Disclosing Party reserves the ~~transfer is in compliance~~ right to require written confirmation from the Receiving Party that they have complied with the ~~Privacy Laws~~instruction to delete Personal Data. 8.7. ~~Such measures may include transferring~~ The Receiving Party shall notify the Disclosing Party as soon as reasonably practicable and in any event within twenty-four (24) hours of: (a) any legally binding request for disclosure of Personal Data by a law enforcement regulatory body or other competent authority unless prohibited by law from doing so; (b) receiving any correspondence, notice or other communication whether orally or in writing from the relevant data protection regulator or any other regulator or person, relating to the Personal Data. 8.8. Where the Receiving Party receives a ~~country that~~ legally binding request for access to personal data by a law enforcement agency regulatory body on other competent authority, the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by Receiving Party will inform the ~~European Commission~~Disclosing Party except where such disclosure is itself legally prohibited. ~~Recipient~~ The Receiving Party will ~~not make~~ reject any ~~effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data~~ such request which ~~may result in identification of a donor~~is non-legally binding.

Appears in 1 contract

Sources: Confidentiality and Non Disclosure Agreement

Data Protection. ~~The parties acknowledge that personal~~ In the performance of the Services, because the Services include data ~~may be transferred under this agreement~~ compression and encryption, Vbrick is technically a data processor (“Data Processor”) of Your data, including personally identifying data (“Personal Data”), and You are the “Data Controller”. Vbrick shall, if processing Your Personal Data as a Data Processor: (i) ~~and each party will fully comply with its respective obligations under~~ only process Your Personal Data for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state duration of the ~~art,~~ Agreement; (ii) only process Your Personal Data on behalf of You to provide the ~~costs of implementation~~ Products and ~~the nature, scope, context~~ Services; (iii) only process Your Personal Data on and ~~purposes of processing~~ in accordance with Your instructions and as ~~well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ set forth in this Agreement; (iv) ensure that appropriate technical and organizational measures ~~in such~~ are taken to protect against the accidental, unauthorized or unlawful destruction, loss, alteration, access or disclosure of Your Personal Data; (v) if You are a ~~manner that processing of~~ European resident, Vbrick will not transfer Your Personal Data ~~will meet~~ outside the ~~requirements~~ European Economic Area (“EEA“) to countries whose laws the EEA has acknowledged do not ensure an adequate level of data privacy protection, without the prior written consent of You; and (vi) delete or return Your Personal Data according to Your instructions, per the applicable master agreement, (except to the extent that Vbrick is required to continue to store Your Personal Data); (vii) ensure that all its personnel who have access to Your Personal Data are subject to obligations of confidentiality when processing Your Personal Data; (viii) promptly inform You if any Your Personal Data is (while within the Vbrick’s possession or control) subject to a personal data breach (as defined in Article 4 of the ~~Privacy Laws~~GDPR); (ix) provide You and any legal data protection regulator all information and assistance necessary to demonstrate compliance with the obligations in this ▇▇▇▇; (x) permit Your chosen independent auditor (at Your sole cost) to access any relevant premises, personnel or records of Vbrick on no less than 30 days prior written notice to audit and verify compliance with Vbrick’s data protection obligations under this ▇▇▇▇. ~~Recipient agrees to notify Provider within~~ For purposes of section 2(iv) immediately above, the Parties acknowledge and agree that the provision of the Products, Services and/or Software may involve a ~~period~~ transfer of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ Your Personal Data ~~has been or may have been lost, damaged or subject~~ from Vbrick to ~~unauthorized internal or external access or any other unlawful processing~~ its Affiliates (~~a “Security Incident”~~if any) and ~~to take reasonable steps to mitigate~~ third-party data processors engaged in the ~~impact~~ provision of ~~any such Security Incident~~the Services and located outside the EEA. In ~~the event that Recipient receives~~ approving such transfers, each Party: (i) ~~any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)~~enters into the Standard Contractual Clauses found at personal-data-third-countries_en; and (ii) shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the applicable data protection laws (“Data Protection Laws”), and shall make such information available to any ~~other correspondence~~data protection regulator on request. You acknowledges that Vbrick is reliant on You for direction as to the extent to which Vbrick is entitled to use and process Your Personal Data. Consequently, ~~inquiry~~ ▇▇▇▇▇▇ will not be liable for any claim brought by a Data Subject (including under Article 82 of the GDPR) to the extent that such action or ~~complaint received~~ omission resulted directly from Your instructions. You shall be responsible for ensuring that its instructions comply with all applicable laws and regulations. You are responsible for (a) obtaining all necessary consents from the Data Subjects (where applicable) and providing all applicable privacy notices and disclosures to the Data Subjects (as required under the Data Protection Laws) to enable Vbrick to collect, process and share Your Personal Data as anticipated under this Agreement; and (b) providing Vbrick with instructions for processing Your Personal Data that are in compliance with the Data Protection Laws. Vbrick shall provide reasonable assistance to You in respect of any Data Access Requests that You notify Vbrick about in writing. You shall promptly (and, in any event, within 7 days) notify Vbrick following the receipt of: (i) a complaint, communication or notice which relates directly or indirectly to the processing of Your Personal Data by ▇▇▇▇▇▇; or (ii) a request from a ~~data subject~~Data Subject to exercise their rights under the Data Protection Laws in relation to Your Personal Data (“Data Access Requests”) and shall provide sufficient information to enable Vbrick to supply any Your Personal Data included in the Data Access Requests. Vbrick shall not be liable for any enforcement action by a governmental body with the rights to enforce these provisions (“DP Regulator”), ~~regulator~~ losses, damages or costs suffered or incurred by You in connection with any Data Access Request, where such enforcement action by a DP Regulator, losses, damages or costs are in any way attributable to Your failure to comply with this paragraph. Each party shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement, which processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in this Agreement or other written instructions from You. Vbrick may authorize third ~~party~~ parties (“Third-Party Subprocessors”) to process Your Personal Data in connection with the ~~processing of~~ Services and its obligations hereunder. Vbrick shall ensure that any such Third-Party Subprocessors only process Your Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider~~ on the basis of a written contract which imposes on and ~~the parties shall cooperate in good faith as necessary to respond to~~ secures from such ~~Correspondence and fulfill their respective~~ Third-Party Subprocessors obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws and that are substantially the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization same as those contained in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~imposed on Vbrick under this paragraph.

Appears in 1 contract

Sources: End User License Agreement

Data Protection. ~~The parties acknowledge that~~ In as far as on the basis of this Agreement data are transferred by one Contracting Party (the "transferring Contracting Party") to the other Contracting Party (the "receiving Con- tracting Party") which are to be considered personal data ~~may~~ according to the laws of the Con- tracting Parties, the following provisions shall apply in addition to national rules: (a) The receiving Contracting Party shall use the data only for the indicated purposes and under the conditions stipulated by the transferring Contracting Party and in no circum- stances for any purpose outside the purposes for which the Agreement was concluded. (b) The receiving Contracting Party shall inform the transferring Contracting Party upon request of the use of the transferred data and the results obtained thereby. (c) Personal data transferred pursuant to this Agreement shall only be transferred ~~under this agreement~~ to Competent Authorities. (~~“Personal Data”~~d) ~~and each party will fully comply with its respective obligations under~~ If the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing~~ national ~~laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state~~ law of the ~~art~~receiving Contracting Party allows exemptions from the provisions of paragraphs (a) - (c) of this Article, the ~~costs~~ operation of ~~implementation and~~ such exemptions shall require the ~~nature~~prior permission of the transferring Contracting Party, ~~scope~~which shall give its general consent in writing. (e) The transferring Contracting Party shall verify the correctness of the data to be transferred, ~~context and purposes of processing~~ as well as the ~~risk~~ necessity and the proportionality of ~~varying likelihood~~ the transfer prior to their transfer. Transfers prohibited under national law of either of the Contracting Parties shall remain prohibited. If incorrect data, or data whose transfer are forbidden, are transferred, the receiving Contracting Party shall be notified forthwith, whereupon the receiving Con- tracting Party shall correct or destroy the data as necessary. (f) Upon request, the subject of the personal data shall be informed about which data have been transferred and ~~severity~~ for which purposes. Requests for information by the subject of the personal data shall be treated in accordance with the national law of the Contracting Party in which the information is requested. (g) If the national law of the transferring Contracting Party contains time limits for the ~~rights and freedoms~~ retention of personal data, the receiving Contracting Party shall be informed accordingly by the transferring Contracting Party. Regardless of such time limits, transferred personal data ~~subjects, Recipient will maintain appropriate technical and organizational measures in such a manner~~ shall be destroyed when they are no longer capable of serving the purpose for which they had been transferred or when that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data purpose has been ~~or may have been lost, damaged or subject~~ fulfilled. (h) The transferring and receiving authorities shall be obliged to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ record the transfer and ~~to take reasonable steps to mitigate the impact~~ receipt of ~~any such Security Incident. In the event that Recipient receives~~ personal data in written form. (i) ~~any request from a~~ The transferring and receiving Contracting Parties shall be obliged to protect trans- ferred personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of~~ against unauthorised access, ~~correction, objection~~ unauthorised change and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorunauthorised publication.

Appears in 1 contract

Sources: Agreement on the Readmission of Persons

Data Protection. ~~The~~ ‌‌ 8.1 Both parties ~~acknowledge that personal data may be transferred~~ will comply with all applicable requirements of the Data Protection Legislation. This clause 8 is in addition to, and does not relieve, remove or replace, a party’s obligations under ~~this agreement (“Personal Data”) and~~ the Data Protection Legislation.‌‌ 8.2 Without prejudice to the generality of clause 8.1, each party will ~~fully comply~~ ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its ~~respective~~ obligations under this agreement: 8.3.1 process Personal Data in respect of which the ~~General~~ other party (“Controller Party”) is Data ~~Protection Regulation~~ Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (~~EU)2016/679 and applicable complementing national laws (jointly~~ “~~Privacy~~ Applicable Laws”). ~~The parties are independent controllers~~ Where the Processor Party is relying on laws of ~~their~~ a member of the European Union or European Union law as the basis for processing ~~operations performed with such~~ Personal Data~~. Taking into account the state of the art~~, the ~~costs~~ Processor Party shall promptly notify the Controller Party of ~~implementation and~~ this before performing the ~~nature, scope, context and purposes of~~ processing ~~as well as~~ required by the ~~risk of varying likelihood and severity for~~ Applicable Laws unless those Applicable Laws prohibit the ~~rights and freedoms of data subjects, Recipient will maintain~~ Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring confidentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data ~~(including its rights~~ can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of ~~access, correction, objection~~ the technical and ~~erasure~~organisational measures adopted by it)~~; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ confidential; and 8.3.4 not transfer any Personal Data ~~to a territory~~ outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: (~~"EEA"~~a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it ~~has taken such measures as are necessary~~ is a Legal Requirement to ~~ensure~~ store the ~~transfer is in~~ Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 8. 8.4 For processing of Personal Data in connection with this Agreement: the ~~Privacy Laws~~duration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant Company contact details, employees of the Company and the Individual or any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. ~~Such measures may include transferring~~ The Consultant Company confirms that it will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant Company will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.]‌‌ 8.6 The Consultant Company will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant Company, the Individual or a Substitute of the Data ~~to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Appears in 1 contract

Sources: Consultancy Agreement

Data Protection. ~~The parties acknowledge that personal data~~ a. As part of providing the NoRamp Services, this Personal Data may be transferred ~~under~~ to other regions, including to the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation. b. When NoRamp Processes Personal Data in the course of providing the NoRamp Services, NoRamp will: i. Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the NoRamp Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the NoRamp Services), and as may subsequently be agreed to by you. If NoRamp is required by law to Process the Personal Data for any other purpose, NoRamp will provide you with prior notice of this ~~agreement (“~~requirement, unless NoRamp is prohibited by law from providing such notice; ii. notify you if, in ▇▇▇▇▇▇’s opinion, your instruction for the Processing of Personal Data infringes applicable Data Protection Legislation; iii. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to NoRamp’s Processing of the Personal Data”) ; iv. implement reasonable technical and ~~each party will fully comply with its respective obligations under the General~~ organizational measures enabling you to execute Data ~~Protection Regulation (EU)2016/679~~ Subject Requests that you are obligated to fulfill; v. implement and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures ~~in such a manner that~~ to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data ~~will meet~~ and appropriate to the ~~requirements~~ nature of the ~~Privacy Laws~~Personal Data which is to be protected; vi. ~~Recipient agrees~~ upon request, provide reasonable information to help the Customer complete the Customer’s data protection impact assessments. vii. provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing NoRamp’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum; viii. notify ~~Provider within a period of 48 hours where Recipient becomes~~ you without undue delay upon becoming aware of and confirming any accidental, unauthorized, or ~~reasonably suspects~~ unlawful processing of, disclosure of, or access to the Personal Data; ix. ensure that its personnel who access the Personal Data ~~has been or may have been lost, damaged or~~ are subject to ~~unauthorized internal~~ confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and x. upon termination of the Agreement, NoRamp will promptly initiate its purge process to delete or ~~external access or any other unlawful processing (~~anonymize the Personal Data. If you request a ~~“Security Incident”)~~ copy of such Personal Data within 60 days of termination, NoRamp will provide you with a copy of such Personal Data. c. In the course of providing the NoRamp Services, you acknowledge and agree that NoRamp may use Subprocessors to ~~take reasonable steps to mitigate~~ Process the ~~impact~~ Personal Data. NoRamp’s use of any ~~such Security Incident. In~~ specific Subprocessor to process the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is must be in compliance with Data Protection Legislation and must be governed by a contract between NoRamp and Subprocessor that requires comparable protections to this Data Processing Addendum. If you object to the ~~Privacy Laws. Such measures~~ appointment of a Subprocessor you may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization terminate this agreement in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material our Terms and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~Conditions, if applicable.

Appears in 1 contract

Sources: Data Processing Addendum

Data Protection. 21.1 The parties ~~acknowledge~~ shall ensure that ~~personal data may be transferred~~ at all times they comply with their obligations under this ~~agreement (“Personal Data”) and each party will fully~~ Agreement in manner so as to comply with ~~its respective obligations under~~ the DPA and all relevant regulations relating to data protection, including the General Data Protection Regulation (~~EU)2016/679 and applicable complementing national laws~~ (~~jointly “Privacy Laws”~~EU) 2016/679). . 21.2 The parties ~~are independent controllers~~ warrant and represent that they have obtained all necessary registrations, notifications and consents required by the DPA to Process Personal Data for the purposes of performing their ~~processing operations performed with such~~ obligations under this Agreement. 21.3 The Grant Recipient undertakes that to the extent that the Grant Recipient and/or any of its employees receives, has access to and/or is required to Process Personal Data on behalf of the GLA (the GLA’s Personal Data~~. Taking into account~~ ) for the ~~state~~ purpose of performing its obligations under this Agreement it will at all times act as if it were a Data Controller and comply with the provisions of the ~~art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ DPA for the ~~rights~~ time being in force. 21.4 The Grant Recipient shall at all material times have in place and ~~freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the GLA’s Personal Data and any person it authorises to have access to any the GLA’s Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the GLA’s Personal Data. 21.5 The Grant Recipient shall allow the GLA to audit the Grant Recipient's compliance with the requirements of this Condition 21 on reasonable notice and/or, at the ~~Privacy Laws.~~ GLA’s request, provide the GLA with evidence of the Grant Recipient's compliance with the obligations within this Condition 21. 21.6 The Grant Recipient undertakes not to disclose or transfer any of the GLA’s Personal Data to any third party without the prior written consent of the GLA save that without prejudice to Condition 21.3 the Grant Recipient shall be entitled to disclose the GLA’s Personal Data to employees to whom such disclosure is reasonably necessary in order for the Grant Recipient to perform its obligations under this Agreement, or to the extent required under a court order. 21.7 The Grant Recipient agrees to ~~notify Provider within~~ use all reasonable efforts to assist the GLA to comply with such obligations as are imposed on the GLA by the DPA. 21.8 The Grant Recipient shall indemnify the GLA against all claims and proceedings and all liability, losses, costs and expenses incurred in connection therewith by the GLA as a ~~period~~ result of ~~48 hours where Recipient becomes aware~~ the Grant Recipient's destruction, damage or loss of the GLA’s Personal Data processed by the Grant Recipient, its employees, agents, or any breach of or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject~~ other failure to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection comply with the ~~processing of Personal Data (collectively~~obligations in the DPA and/or this Condition 21 by the Grant Recipient, ~~"Correspondence")~~its employees, ~~it shall promptly inform Provider and~~ agents or sub-contractors. 21.9 The Grant Recipient undertakes to include obligations no less onerous than those set out in this Condition 21, in all contractual arrangements with agents engaged by the ~~parties shall cooperate~~ Grant Recipient in ~~good faith as necessary to respond to such Correspondence and fulfill their respective~~ performing its obligations under ~~Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ this Agreement to the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorGLA.

Appears in 1 contract

Sources: Approved Provider Grant Agreement

Data Protection. 7.1 Where applicable, expressions defined in the Data Protection Legislation and used in this clause 7 shall have the meanings given to them in the Data Protection Legislation. 7.2 Both Parties shall jointly determine the purposes and means of processing Personal Data in relation to learners to whom the Centre is providing Qualifications to pursuant to this Agreement (“Learners”), including special categories of data (as referred to in Article 9(1) GDPR), and shall be joint controllers of that Personal Data (as referred to in Article 26 GDPR “Joint controllers”). 7.3 Pursuant to Article 26 GDPR, the Parties set out their respective responsibilities for compliance with the Data Protection Legislation herein: 7.3.1 The ~~parties acknowledge~~ Centre shall solely determine whether consent is required in order to process the Personal Data of learners save that ~~personal data may~~ Laser Learning Awards shall have the right to review any such determination and to require a different determination if it reasonably considers the Centre’s determination to be ~~transferred~~ contrary to the GDPR; 7.3.2 Where consent as envisaged in clause 7.3.1 above is determined to be required from learners, the Centre shall gain all necessary consents from Learners required by and in accordance with the Data Protection Legislation as is necessary for the provision of Qualifications under this ~~agreement (“~~Agreement; 7.3.3 The Centre shall have the sole responsibility to provide the information required to be provided to Learners as set out in Articles 13 and 14 GDPR save that Laser Learning Awards shall have the right to review any information provided or proposed to be provided and to require different information to be provided if it reasonably considers the Centre’s information to be contrary to the GDPR; 7.3.4 The Centre shall be responsible for satisfying the rights of Learners as Data Subjects as set out in the GDPR. Laser Learning Awards shall assist the Centre in discharging this responsibility save that Laser Learning Awards shall have the right to require a different manner in which the Centre discharges or proposes to discharge its responsibility if it reasonably considers the Centre’s discharging to be contrary to the GDPR; 7.3.5 The Centre shall gather Personal ~~Data”)~~ Data as is necessary for the operation of this Agreement in accordance with the GDPR; 7.3.6 Laser Learning Awards shall process Personal Data as is necessary for the provision of services under this Agreement; and 7.3.7 The Centre shall make the essence of this arrangement in relation to the respective roles and ~~each party will fully~~ relationships of the Parties as Joint controllers available to the relevant Data Subjects. 7.4 Each Party, as a Data Controller in relation to learners’ Personal Data shall comply with its ~~respective~~ obligations under the ~~General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures Legislation in ~~such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees~~ relation to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ that Personal Data ~~has been or may have been lost, damaged or subject to unauthorized internal or external access or any~~ and shall aid the other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of Party in its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorcompliance.

Appears in 1 contract

Sources: Appointment Agreement

Data Protection. 15.1 ▇▇▇▇’s Privacy Policy explains how and for what purposes we collect, use, retain, disclose, and safeguard the Personal Data that the Client provides to Nium. The ~~parties acknowledge~~ Client agree to the terms of ▇▇▇▇’s Privacy Policy, which Nium may update from time to time. 15.2 The Client represents and warrants to Nium that ~~personal~~ it has the legal right to disclose all Personal Data disclosed to Nium under or in connection with this Agreement. 15.3 Nium and the Client each acknowledges and agrees that they each act as independent data ~~may be transferred~~ controller, or the equivalent under Data Protection Legislation in relation to the Personal Data they each Processes under or in connection with this ~~agreement (“Personal Data”) and each party will fully~~ Agreement. Each Party shall comply with its respective obligations under ~~the General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Legislation. 15.4 Nium and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner Client shall each ensure that ~~processing of~~ access to Personal Data ~~will meet~~ is limited to Nium’s or the ~~requirements of~~ Client’s Personnel who have a reasonable need to access Personal Data to enable the ~~Privacy Laws. Recipient agrees~~ Nium or the Client to ~~notify Provider within a period of 48 hours where Recipient~~ perform its respective obligations under this Agreement. 15.5 If Nium or the Client receives or becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the ~~processing of Personal Data (collectively, "Correspondence")~~following, it shall promptly ~~inform Provider~~ notify the other Party of: (a) any breach of security or unauthorised access to Personal Data within forty eight (48) hours of becoming aware of such incident; and (b) any complaint, inquiry or request from a Data Subject or Data Protection Authority regarding Personal Data unless such notice is prohibited by Data Protection Legislation. 15.6 Each Party shall refrain from notifying or responding to any Data Subject or Data Protection Authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) by Data Protection Legislation. 15.7 The Client acknowledges and agrees that ▇▇▇▇, at its sole discretion, may disclose any Personal Data or transaction-related information to third parties in order to perform Nium’s obligations under this Agreement as required under Law, including but not limited to anti-money laundering, sanctions, or as may otherwise be required by Law. Furthermore, such disclosure may be made to any Regulatory Authority, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such Regulatory Authority in the ~~parties shall cooperate in good faith~~ ordinary course of business. 15.8 Nium may transfer Personal Data on a global basis as necessary to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws~~provide the Services. ~~Upon Provider’s request~~In particular, ~~Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not~~ Nium may transfer ~~any~~ Personal Data to ~~a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is~~ its Affiliates and sub-processors in ~~compliance with the Privacy Laws~~other jurisdictions. ~~Such measures may include transferring the~~ Where Nium transfers Personal Data under this Agreement to a country ~~that the European Commission has decided provides~~ or recipient not recognised as having an adequate level of protection for ~~personal data;~~ Personal Data according to ~~a Recipient that has achieved binding corporate rules authorization in accordance~~ Data Protection Legislation, Nium will comply with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine its obligations under Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 1 contract

Sources: Nium Services Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective o▇▇▇▇▇▇▇▇ns under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ ▇uropean Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Data ▇▇▇▇▇▇▇ion (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and ▇▇▇ ▇▇▇tgages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 1 contract

Sources: Administration Agreement (Granite Mortgages 04-2 PLC)

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ 17.1 Each party, including its Staff, shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the ~~Privacy Laws. Recipient agrees~~ Data Protection Act 1998 (the “DPA”) in relation to ~~notify~~ the provision of the Services and shall not knowingly or negligently by any act or omission, place the other party in breach, or potential breach, of the DPA 17.2 The Provider ~~within a period~~ shall in accordance with the DPA be notified and shall advise the Council’s Contract Manager of ~~48 hours where Recipient becomes aware~~ its notification reference on the Public Register of Data Controllers 17.3 The Provider shall only use any/all information that is given or ~~reasonably suspects~~ made available to it by the Council under the terms of the DPA for the provision of the Services in accordance with specific instructions and for no other purpose whatsoever at any time 17.4 The Provider shall ensure that ~~Personal Data has been~~ personal information is not disclosed, either free of charge or ~~may have been lost~~in return for payment, ~~damaged or subject~~ to ~~unauthorized internal or external access or~~ any other ~~unlawful processing~~ party except where there is a legal or regulatory obligation to do so 17.5 On termination of this Contract the Provider shall return all personal data or destroy or dispose of it in a secure manner and in accordance with any specific instructions issued by the Council 17.6 The Provider shall give all reasonable assistance to the Council necessary to enable it to comply with its obligations under Part II of the DPA 17.7 The Provider shall comply with the Council’s security requirements including adherence to security policies and with obligations equivalent to those imposed on the Council by the Seventh Data Protection Principle (~~a “Security Incident”~~as set out in Schedule 1 of the DPA) and any requirements specifically notified to ~~take reasonable steps~~ the Provider 17.8 The Provider shall either be certified to ~~mitigate~~ BS ISO/IEC 27001 or have agreed a security policy with the ~~impact~~ Council that complies with all relevant standards of ~~any such Security Incident~~ISO/IEC 27001 and shall have provided the Council’s Contract Manager with a copy of the policy. In the event that ~~Recipient receives (i) any request~~ the Provider is not certified to ISO 27001, the Council shall be entitled to establish its’ own systems audit for evaluating and monitoring the effectiveness of the Provider’s data protection systems and shall be entitled to deduct the reasonable cost of maintaining such systems from a sums due to the Provider 17.9 The Provider shall also ensure that its Staff who are permitted access to Council’s Data receive appropriate training in data ~~subject~~ protection to ~~exercise~~ ensure compliance 17.10 The Provider shall take reasonable steps to ensure the reliability of any of its ~~rights under Privacy Laws in relation~~ Staff that have access to ~~Personal Data (including its~~ Council’s Data 17.11 The Provider shall, upon reasonable notice, allow officers of the Council to have reasonable rights of ~~access~~access at all times to the Provider’s premises, ~~correction~~Staff and records for the purposes of monitoring the Provider’s compliance with its security requirements, ~~objection~~ including it’s obligations under the DPA 17.12 The Provider agrees to indemnify the Council against all costs that the Council incurs as a result of the Provider’s failure to comply with this clause 17 17.13 The Provider shall immediately inform the Council of any breach or potential breach of this clause 17 18.1 Each Party:- 18.1.1 shall treat all Confidential Information belonging to the other Party as confidential and ~~erasure)~~safeguard it accordingly; ~~and (ii)~~ and 18.1.2 shall not disclose any Confidential Information belonging to the other Party to any other ~~correspondence~~person without the prior written consent of the other Party, ~~inquiry~~ except to such persons and to such extent as may be necessary for the performance of this Contract or ~~complaint~~ except where disclosure is otherwise expressly permitted by the provisions of this Contract 18.2 The Provider shall take all necessary precautions to ensure that all Confidential Information obtained from the Council under or in connection with this Contract:- 18.2.1 is given only to such of its Staff and professional advisors or consultants engaged to advise it in connection with this Contract as is strictly necessary for the performance of this Contract and only to the extent necessary for the performance of this Contract 18.2.2 is treated as Confidential and not disclosed (without prior Approval) or used by any Staff or such professional advisors or consultants otherwise than for the purposes of this Contract. 18.3 The Provider shall ensure that Staff or its professional advisors or consultants are aware of the Provider’s confidentiality obligations under this Contract 18.4 The Provider shall not use any Confidential Information it receives from the Council otherwise than for the purposes of this Contract 18.5 The provisions of clause 18.1 to 18.3 shall not apply to any Confidential Information received by one Party from the other: 18.5.1 which is or becomes public knowledge (otherwise than by breach of this clause 18) 18.5.2 which was in the possession of the receiving Party, without restriction as to its disclosure, before receiving it from the disclosing Party 18.5.3 which is received from a ~~data subject~~third party who lawfully acquired it and who is under no obligation restricting its disclosure 18.5.4 is independently developed without access to the Confidential Information; or 18.5.5 which must be disclosed pursuant to a statutory, ~~regulator~~ legal or parliamentary obligation placed upon the Party making the disclosure, including any requirements for disclosure under the Freedom of Information Act, 2000 or the Environmental Information Regulations 2004 18.5.6 Nothing in this clause 18 shall prevent the Council disclosing any Confidential Information:- 18.5.6.1 for the purpose of the examination and certification of the Council’s accounts; or 18.5.6.2 for the purpose of any examination pursuant to section 6(1) of the National Audit Act 1983 of the economy, efficiency, and effectiveness with which the Council has used its resources; or ▇▇.▇.▇.▇ to any government department or any other Contracting Authority. All government departments or Contracting Authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other government departments or other Contracting Authorities on the basis that the information is Confidential and is not to be disclosed to a third party which is not part of any government department or any Contracting Authority; or ▇▇.▇.▇.▇ to any person engaged in ~~connection~~ providing any services to the Council for any purpose relating to or ancillary to this Contract Provided that in disclosing information the Council discloses only the information which is necessary for the purpose concerned and requires that the information is treated in confidence and that a confidentiality undertaking is given where appropriate 18.6 Nothing in this clause shall prevent either Party from using any techniques, ideas or know-how gained during the performance of this Contract in the course of its normal business to the extent that this does not result in a disclosure of Confidential Information or an infringement of Intellectual Property Rights 18.7 In the event that the Provider fails to comply with this clause 18 the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and~~ Council reserves the ~~parties shall cooperate~~ right to terminate this Contract in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon~~ writing with immediate effect 18.8 The Council may terminate this Contract for Provider’s ~~request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data~~ failure to ~~a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance~~ comply with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this clause 18

Appears in 1 contract

Sources: Service Agreement

Data Protection. ~~The parties acknowledge~~ 18.1 This clause 18 sets out the framework for the sharing of Personal Data between the Parties where they are acting as Data Controllers in respect of the Shared Personal Data in connection with this Agreement: (a) Each Party acknowledges that ~~personal data may be transferred under this agreement~~ a party (the “~~Personal Data~~Data Discloser”) ~~and each~~ will regularly disclose for the purposes of this Agreement to another party ~~will fully~~ or other parties (the “Data Recipient(s)”) Shared Personal Data collected by the Data Discloser; (b) The Parties shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 days of that breach, give grounds to the other Party to terminate this Agreement with immediate effect; (c) Each Party acknowledges that the Data Recipient(s) was not involved in the collection of Shared Personal Data initially collected by the Data Discloser and provided to the Data Recipient(s). The Data Discloser shall ensure that it collects and processes such Shared Personal Data in accordance with the Data Protection Legislation; (d) Each Party shall ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Data Recipient(s) for the purposes of this Agreement; (e) The Data Recipient(s) shall process the Shared Personal Data only for the purposes of this Agreement; (f) Each Party shall be separately responsible for compliance with its ~~respective~~ obligations under the ~~General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Legislation, in its capacity as Data Controller of the ~~art,~~ Shared Personal Data processed for the ~~costs of implementation and the nature, scope, context and~~ purposes of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects~~this Agreement, ~~Recipient will maintain appropriate technical and organizational measures~~ in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives respect of: (i) the security of the Shared Personal Data when under its control; (ii) any transfers of the Shared Personal Data outside the EEA for which that Party is responsible; and (iii) any requests received from individuals in respect of their rights under the Data Protection Legislation exercised in respect of the Shared Personal Data in that Party’s possession and/or control. 18.2 Each Party shall provide to the others such reasonable co-operation and assistance as may be necessary in relation to the Shared Personal Data including in responding to any request from a ~~data subject~~ Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise~~ security, breach notifications, impact assessments and consultations with supervisory authorities. 18.3 Each Party shall (and shall procure that any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party staff involved in connection with the ~~processing of Personal~~ Project Design shall) comply with any notification requirements under the Data ~~(collectively~~Protection Legislation. 18.4 Historic England’s full privacy and cookies policy can be viewed at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇.▇▇/terms/privacy-cookies/ 19.1 Except to the extent set out in clause 19.2 or where disclosure is expressly permitted, ~~"Correspondence"), it~~ each Party shall ~~promptly inform Provider~~ treat Confidential Information belonging to the other Party as confidential and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not ~~transfer~~ disclose any ~~Personal Data~~ Confidential Information belonging to ~~a territory outside~~ the other Party to any other person without the prior written consent of the ~~European Economic Area~~ other Party. 19.2 Neither Party shall be prevented from disclosing any Confidential Information obtained from the other Party: 19.2.1 for the purpose of the examination and certification of: (~~"EEA"~~i) ~~unless it~~ its own accounts; or (ii) pursuant to section 6(1) of the National Audit ▇▇▇ ▇▇▇▇, the economy, efficiency and effectiveness with which the Party has ~~taken such measures as are~~ used its resources; or 19.2.2 to any government department, provided that in disclosing information the Party only discloses the information which is necessary ~~to ensure~~ for the ~~transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country~~ purpose concerned and requests that the ~~European Commission has decided provides adequate protection for personal data; to~~ information is treated in confidence and that a ~~Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws;~~ confidentiality undertaking is given where appropriate; 19.2.3 where disclosure is required by law, including under the FOIA or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorEIR.

Appears in 1 contract

Sources: Cultural Programme Grant Agreement

Data Protection. 17.1 The ~~parties acknowledge~~ Provider shall (and shall procure that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its ~~rights~~ Provider's Personnel involved in the provision of the Contract shall) comply with any notification requirements under ~~Privacy Laws in relation to Personal~~ Data ~~(including its rights of access~~Protection Legislation and both Parties shall duly observe all their obligations under Data Protection Legislation, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ which arise in connection with the Contract. 17.2 Notwithstanding the general obligation in clause 17.1, where the Provider is processing Personal Data as a Data Processor for the Commissioner, the Provider shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (~~collectively~~and to guard against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, ~~"Correspondence"~~or damage to, the Personal Data), ~~it shall promptly inform~~ as required under Data Protection Legislation; and (a) provide the Commissioner with such information as the Commissioner may reasonably require to satisfy itself that the Provider ~~and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective~~ is complying with its obligations under ~~Privacy Laws. Upon Provider~~Data Protection Legislation; (b) within 24 hours of the Provider becoming aware of the breach occurring, notify the Commissioner of any breach and of the security measures required to be put in place pursuant to this clause 17.2; (c) co-operating with the Commissioner and/or any relevant regulatory body in carrying out any investigation by providing information requested by the Commissioner and/or relevant regulatory body within the timescales required; (d) allow the Commissioner’s ~~request~~and/or the regulatory body’s representatives access to Provider premises, ~~Recipient shall restrict~~ systems and data for the ~~processing~~ purposes of ~~Personal~~ any investigation, inspection or audit; and (e) ensure it does not knowingly or negligently do or omit to do anything which places the Commissioner in breach of the Commissioner's obligations under Data ~~identified by Provider. Recipient~~ Protection Legislation. 17.3 The Provider shall not ~~transfer~~ engage another processor without prior written authorisation from the Commissioner. The Provider shall inform the Commissioner of any ~~Personal~~ intended changes concerning the addition or replacement of other processors giving the Commissioner the opportunity to object. All additional or replacement processors are required to sign the Commissioner’s Data Processing Agreement. 17.4 The Provider shall indemnify the Commissioner against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profits, loss of reputation and all interest, penalties and legal costs (calculated on a ~~territory outside~~ full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by, or awarded against the Commissioner arising from any breach of the ~~European Economic Area ("EEA") unless it has taken~~ Provider's obligations in this clause 17 except and to the extent that such ~~measures as are necessary to ensure~~ liabilities have resulted directly from the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCommissioner's instructions.

Appears in 1 contract

Sources: Service Agreement

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection Toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3, and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 1 contract

Sources: NHS Terms and Conditions for the Provision of Services

Data Protection. The ~~parties acknowledge that personal data may be transferred under this agreement~~ Supplier shall comply with the Data Protection Act 1998 (~~“Personal Data”~~"the 1998 Act") and ~~each party will fully~~ any other applicable data protection legislation. In particular the Supplier agrees to comply with the obligations placed on the Authority by the seventh data protection principle ("the Seventh Principle") set out in the 1998 Act, namely: to maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Authority by the Seventh Principle; only to process Personal Data for and on behalf of the Authority, in accordance with the instructions of the Authority and for the purpose of performing its ~~respective~~ obligations under the ~~General Data Protection Regulation (EU)2016/679~~ Agreement and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ to ensure compliance with ~~such Personal Data. Taking into account~~ the ~~state of~~ 1998 Act; and to allow the ~~art,~~ Authority to audit the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Supplier's compliance with the requirements of this Clause 17 on reasonable notice and/or to provide the ~~Privacy Laws~~Authority with evidence of its compliance with the obligations set out in this Clause 17. ~~Recipient~~ Subject to Clause 14, the Supplier agrees to ~~notify Provider~~ indemnify and keep indemnified the Authority and any Administering Entity against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith by the Authority and any Administering Entity as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier's unauthorised processing, unlawful processing, destruction of and/or damage to any Personal Data processed by the Supplier, its employees or agents in the Supplier's performance of the Agreement or as otherwise agreed between the Parties. Both Parties agree to use all reasonable efforts to assist each other to comply with the 1998 Act. For the avoidance of doubt, this includes the Supplier providing the Authority with reasonable assistance in complying with subject access requests served on the Authority under Section 7 of the 1998 Act and the Supplier consulting with the Authority prior to the disclosure by the Supplier of any Personal Data in relation to such requests. Subject to Clause 18.2, neither Party shall be considered to be in default or liable for breach of any obligation hereunder nor liable to the other Party for any loss or damage whatsoever arising out of the prevention, hindrance or delay of the performance of any such obligation to the extent that the performance of such obligation is prevented, hindered or delayed by an event of Force Majeure. The Supplier shall only be entitled to rely on an event of Force Majeure and will not be considered to be in default or liable for breach of any obligations hereunder if the Supplier has fulfilled its obligations pursuant to Clauses 2.8, 2.9 and 2.11. A Party wishing to rely on an event of Force Majeure shall promptly and in any event within ~~a period~~ 7 days of ~~48 hours where Recipient becomes~~ becoming aware of ~~or reasonably suspects that Personal Data has been or may have been lost, damaged or subject~~ the same give written notice to ~~unauthorized internal or external access or any~~ the other ~~unlawful processing (a “Security Incident”)~~ Party of the nature of the event of Force Majeure and ~~to take reasonable steps~~ shall use its best endeavours to mitigate the ~~impact~~ effects of ~~any~~ such ~~Security Incident~~event of Force Majeure. In If an event of Force Majeure relied on by the Supplier shall subsist for 28 days or more then the Authority shall have the right to terminate this Agreement at once by giving notice to the Supplier. On the occurrence of an event ~~that Recipient receives (i) any request from a data subject to exercise any~~ of ~~its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection~~ Force Majeure the Parties shall meet as soon as reasonably practicable and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate acting in good faith as shall use all reasonable endeavours (but without incurring undue costs) to agree the measures (if any) necessary to ~~respond~~ mitigate the effects of such event of Force Majeure and or to remedy any effects of the Force Majeure and, subject to Clause 18.2, the obligations of both parties shall be suspended to the extent that they are affected by such event of Force Majeure unless and until: the event of Force Majeure shall have ceased and any such measures shall have been agreed and the damage shall have been remedied pursuant to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Lawsagreement; or ~~to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may~~ this Agreement is terminated whichever shall be the ~~donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~earlier.

Appears in 1 contract

Sources: Contract for the Supply of Human Papillomavirus Vaccine

Data Protection. ~~The parties acknowledge~~ To the extent that ~~personal data may be~~ the Data transferred from Data Contributor under this ~~agreement (“~~Agreement contains Personal Data”, then (i) each Party shall be considered a Controller for the purposes of Data Protection Law in respect of such Personal Data, and (ii) the terms of this clause 4 shall apply. Except to the extent set out otherwise in this clause 4, each ~~party will fully comply~~ Party shall be responsible for complying with Data Protection Law when performing its respective obligations and exercising its rights under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentthis Agreement. In the event of a Personal Data Breach or the receipt of any correspondence from a competent regulatory authority or other public authority relating to Personal Data processed under this Agreement, the affected/receiving Party shall notify the other Party without undue delay and in any event within forty eight (48) hours after becoming aware of the same. In the event of a Personal Data Breach each Party shall cooperate and assist the other in promptly investigating, mitigating and remediating any such Personal Data Breach and/or responding to any such complaint or other correspondence from a regulator or other public authority. The Parties shall, following consultation with each other, comply with any applicable obligations under Data Protection Law in relation to any such Personal Data Breach or correspondence from a competent regulatory authority or other public authority, including (where applicable) notification of a Personal Data Breach to any competent regulatory authorities, and/or Data Subjects. Data Contributor shall be solely responsible for compliance with all obligations under Data Protection Law relating to De-personalisation and transfer of Personal Data, including (i) ensuring it has and maintains a valid legal basis (ii) providing all required information to Data Subjects, (iii) handling requests received from Data Subjects wishing to exercise their rights under Data Protection Law, and (iv) ensuring that ~~Recipient receives~~ any international transfer of Personal Data is conducted in compliance with Data Protection Law. As between HDR and Data Contributor, HDR shall be solely responsible for (i) ensuring the suitability of the Trusted Research Environment for the processing of any Personal Data contained in the Data and (ii) entering into appropriate agreement(s) with the operator(s) of such Trusted Research Environment(s). Each Party agrees that, within a reasonable period of the other Party’s request, it shall negotiate in good faith with the other Party and seek to agree promptly any such further documents as in each Party’s reasonable opinion are required to comply with or take account of (i) any ~~request from a data subject to exercise any~~ amendment, re-enactment or extension of ~~its rights under Privacy Laws in relation to Personal~~ Data ~~(including its rights of access, correction, objection and erasure);~~ Protection Law and (ii) any ~~other correspondence, inquiry or complaint received from~~ relevant guidance issued by a ~~data subject, regulator or other third party in connection~~ regulatory authority of competent jurisdiction with respect to the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring activities regarding the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorunder this Agreement.

Appears in 1 contract

Sources: Data Contribution Agreement

Data Protection. 2.1 Arrangement between the parties 2.1.1 The parties shall each Process the Personal Data. The parties acknowledge that ~~personal data may~~ the factual arrangements between them dictate the classification of each party in respect of the Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between the Training Provider and ISL for the purposes of this Contract, the Training Provider shall act as a Controller and ISL shall, depending on the circumstances of the processing, act as a Controller or a Processor, as follows: a The Training Provider shall be ~~transferred~~ a Controller where it is Processing Personal Data in relation to Delegates; b ISL shall be a Controller in relation to passing enquiries from potential Delegates to the Training Provider, and related obligations; and c ISL shall be a Processor where it is Processing Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under this ~~agreement (“Personal Data”)~~ Contract. 2.1.2 Each party acknowledges and ~~each party~~ agrees that Appendix A to this Contract is an accurate description of the Data Processing Particulars. 2.1.3 ISL undertakes to the Training Provider that it will ~~fully comply~~ take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Data Protection Laws and ISL will, at its ~~respective~~ own expense, assist the Training Provider in discharging its obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Laws as more particularly detailed in this paragraph 2. ISL shall not, whether by act or omission, cause the Training Provider to breach any of its obligations under the Data Protection Laws. 2.1.4 Each party shall comply with all the obligations imposed on a Controller under the Data Protection Laws. 2.2 Data Processor obligations 2.2.1 To the extent that ISL Processes any Personal Data as a Processor for and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state on behalf of the ~~art,~~ Training Provider (as the ~~costs~~ Controller) it shall: a only Process the Personal Data for and on behalf of ~~implementation and~~ the ~~nature, scope, context and~~ Training Provider for the purposes of ~~processing as well as~~ performing its obligations b keep a record of any Processing of the ~~risk~~ Personal Data it carries out on behalf of ~~varying likelihood~~ the Training Provider; c take, implement and ~~severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures which are sufficient to comply with at least the obligations imposed d within thirty (30) calendar days of a request from the Training Provider, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Training Provider (and/ or its representatives, including its appointed auditors) in ~~such a manner that processing~~ order to ascertain compliance with the terms of this Paragraph 1.2, and provide reasonable e not disclose Personal Data ~~will meet~~ to a third party (including a sub-contractor) in any circumstances without the ~~requirements~~ Training f promptly comply with any request from the Training Provider to amend, transfer or delete any Personal Data; g notify the Training Provider promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or ICO Correspondence and shall: i not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining the ~~Privacy Laws. Recipient agrees~~ Training Provider’s prior written consent; and ii provide the Training Provider with all reasonable co-operation and assistance required by the Training Provider in relation to any such Data Subject Request or ICO Correspondence; h notify the Training Provider promptly (and in any event within ~~a period of 48 hours where Recipient becomes~~ twenty-four (24) hours) upon becoming aware of any actual or ~~reasonably suspects that~~ suspected, threatened or “near miss” Personal Data ~~has been~~ Breach in relation to the Personal Data (and follow-up in writing) and shall: i conduct or ~~may have been lost~~support the Training Provider in conducting such investigations and analysis that the Training Provider reasonably requires in respect of such Personal Data Breach; ii implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and iii assist the Training Provider to make any notifications to the ICO and affected Data Subjects; i comply with the obligations imposed upon a Processor under the Data Protection Laws; j use all reasonable endeavours to assist the Training Provider to comply with the obligations imposed on the Training Provider by the Data Protection Laws, ~~damaged or subject~~ including: i compliance with the Security Requirements; ii obligations relating to ~~unauthorized internal or external access~~ notifications required by the Data Protection Laws to the ICO and/ or any ~~other unlawful processing~~ relevant Data Subjects; iii undertaking any Data Protection Impact Assessments (~~a “Security Incident”) and to take reasonable steps to mitigate~~ and, where required by the ~~impact~~ Data Protection Laws, consulting with the ICO and/or any equivalent regulatory body in respect of any such ~~Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Data ~~(including its rights of access, correction, objection and erasure~~Protection Impact Assessments); and iv without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal k upon the earlier of: i the receipt of a written direction of the Training Provider; ii termination or expiry of this Contract (~~ii) any other correspondence~~as applicable); and iii the date on which Personal Data is no longer relevant to, ~~inquiry~~ or ~~complaint received from~~ necessary for, the Permitted Purpose, ISL shall l not make (nor instruct or permit a ~~data subject, regulator or other~~ third party ~~in connection with the processing~~ to make) a transfer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a ~~territory outside~~ Restricted Country except with the prior written consent of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Training Provider and in accordance with ~~Privacy Laws; or~~ any terms the Training Provider may impose on such transfer as the Training Provider deems necessary to ~~a Recipient~~ satisfy the requirements m maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1.2. 2.3 ISL Personnel 2.3.1 ISL shall only disclose Personal Data to its Personnel that ~~has executed standard contractual clauses adopted or approved~~ are required by ISL to assist it in meeting its obligations under this Contract and shall ensure that such Personnel shall have entered into appropriate contractually- binding confidentiality undertakings. 2.4 Appointing sub-contractors 2.4.1 ISL shall not be permitted to appoint a 2.4.2 Notwithstanding any consent given by the ~~European Commission. Recipient will not make~~ Training Provider under paragraph 2.4.1, ISL shall remain primarily liable to the Training Provider for the acts, errors and omissions of any ~~effort~~ sub-contractor to ~~identify individuals who are or may~~ whom it discloses Personal Data, and shall be responsible to the ~~donors~~ Training Provider for the acts, errors and omissions of such sub-contractor as if they were ISL’s own acts, errors and omissions to the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~extent that ISL would be liable to the

Appears in 1 contract

Sources: Training License Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 26.1 For the purposes of this ~~agreement (~~Clause the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”) , “Process” and ~~each party will fully~~ “Processing shall have the meaning prescribed under the Data Protection ▇▇▇ ▇▇▇▇ (DPA) 26.2 The Recipient shall comply at all times with the Data Protection Legislation and shall not perform its ~~respective~~ obligations under this Agreement in such a way as to cause either the Recipient or the Trust to breach any applicable obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such~~ Legislation. 26.3 To the extent that the Recipient is required to hold or process Personal Data~~. Taking into account~~ , whether the ~~state~~ data is Trust data or Recipient data, the following provisions of this Clause shall have effect. 26.4 The Recipient shall process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the ~~art~~Services or as is required by Law or any Regulatory Body. 26.5 The Recipient shall not delete or remove any proprietary notices contained within or relating to any Personal data. 26.6 The Recipient shall not store, ~~the costs of implementation and the nature~~copy, ~~scope~~disclose, ~~context and purposes of processing~~ process or use Personal Data except as ~~well as the risk of varying likelihood and severity~~ necessary for the ~~rights and freedoms~~ performance by the Recipient of ~~data subjects~~its obligations under this Agreement or as otherwise expressly authorised in writing by the Trust. 26.7 The Recipient shall ensure that any system on which it holds any Personal Data, including back-up data, is a secure system. 26.8 The Recipient ~~will maintain~~ shall implement appropriate technical and ~~organizational~~ organisational measures ~~in such~~ to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected. 26.9 If the Personal Data is corrupted, lost or sufficiently degraded as a ~~manner that processing~~ result of the Recipient’s default so as to be unusable, the Trust may require the Recipient (at its expense) to restore or procure the restoration of Personal ~~Data will meet~~ Data, and the ~~requirements of~~ Recipient shall do so as soon as practicable. 26.10 If at any time the ~~Privacy Laws.~~ Recipient ~~agrees~~ suspects or has reason to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ believe that Personal Data has ~~been~~ or may ~~have been lost~~become corrupted, ~~damaged~~ lost or ~~subject~~ sufficiently degraded in any way for any reason, then the Recipient shall notify the Trust immediately and inform the Trust of the remedial action the it proposes to ~~unauthorized internal~~ take. 26.11 The Recipient shall obtain prior written consent from the Trust in order to transfer the Personal Data to any sub-contractors or ~~external~~ Affiliates for the provision of the Services; 26.12 The Recipient shall ensure that all Recipient Staff required to access ~~or any other unlawful processing (a “Security Incident”)~~ the Personal Data are informed of the confidential nature of the Personal Data and ~~to take reasonable steps to mitigate~~ comply with the ~~impact of any such Security Incident. In~~ obligations set out in this Clause 26.13 The Recipient shall provide the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ Trust with full co-operation and assistance in relation to any complaint or request made in respect of Personal Data, including by; a) providing the Trust with full details of the complaint or request; b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Trust’s instructions; c) providing the Trust with any Personal Data it holds in relation to Data Subject (~~including its rights of access, correction, objection and erasure~~within the timescales required by the Trust); and d) providing the Trust with any information requested by the Trust in respect of any Complaint; 26.14 The Recipient shall permit the Trust or the Trust Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Recipient’s data processing activities (iiand/or those of its agents, subsidiaries and sub-contractors) ~~any other correspondence, inquiry~~ and comply with all reasonable requests or ~~complaint received from~~ directions by the Trust to enable the Trust to verify and/or procure that the Recipient is in full compliance with its obligations under this Agreement 26.15 The Recipient shall provide a ~~data subject, regulator or other third party in connection with~~ written description of the technical and organisational methods employed by the Recipient for processing of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ within 3 months of a request being made by the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Trust 26.16 The Recipient shall not ~~transfer any~~ Process Personal Data ~~to a territory~~ generated or supplied for the purposes of this Agreement outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary~~ without the prior written consent of the Trust and, where the Trust consents to ~~ensure the transfer is in compliance~~ a transfer, to comply with the ~~Privacy Laws. Such measures may include transferring~~ obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to ~~a country~~ any Personal Data that ~~the European Commission has decided provides adequate protection for personal data;~~ is transferred any reasonable instructions notified to ~~a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved~~ it by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorTrust.

Appears in 1 contract

Sources: Grant Agreement

Data Protection. ~~The~~ 5.1 This Clause 5 sets out the framework for the sharing of personal data (as defined in the Data Protection Legislation) between the parties ~~acknowledge~~ as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) shared personal data collected by the Data Discloser to provide the Services under this Agreement. 5.2 Each party shall comply with all the obligations imposed on a controller under the Data Protection Legislation. 5.3 Each party shall: (a) ensure that it has all necessary consents and notices in place to enable lawful transfer of the shared personal data to the Data Recipient; (b) take all reasonable steps to ensure that appropriate technical and organisational measures are put in place to protect the shared personal data and comply with the relevant Data Protection Legislation; (c) give full information to any data subject whose personal data may be ~~transferred~~ processed under this ~~agreement~~ Agreement of the nature of such processing. This includes giving notice that, on the termination of this Agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the permitted recipients, their successors and assignees; (~~“Personal Data”~~d) process the shared personal data only to provide the Services under this Agreement; (e) not disclose or allow access to the shared personal data to anyone other than the permitted recipients; (f) ensure that all permitted recipients are subject to written contractual obligations concerning the shared personal data (including obligations of confidentiality) which are no less demanding than those imposed by this Agreement; (g) ensure that it has in place appropriate technical and ~~each party will fully comply~~ organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (h) not hold or transfer any personal data outside of the European Economic Area unless the holder or transferor: (i) complies with ~~its respective obligations under~~ the provisions of Article 26 of the General Data Protection Regulation (~~EU)2016/679~~ in the event the third party is a joint controller); and ~~applicable complementing national laws~~ (~~jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ ii) ensures that (i) the ~~state~~ transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the ~~art,~~ General Data Protection Regulation; (ii) there are appropriate safeguards in place pursuant to Article 46 of the ~~costs~~ General Data Protection Regulation; or (iii) one of ~~implementation and~~ the ~~nature, scope, context and purposes~~ derogations for specific situations in Article 49 of ~~processing as well as~~ the ~~risk of varying likelihood and severity for~~ General Data Protection Regulation applies to the ~~rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures~~ transfer. 5.4 Each party shall assist the other in ~~such a manner that processing of Personal Data will meet the~~ complying with all applicable requirements of the ~~Privacy Laws~~Data Protection Legislation. ~~Recipient agrees~~ In particular, each party shall: (a) consult with the other party about any notices given to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject~~ data subjects in relation to ~~unauthorized internal or external access or any~~ the shared personal data; (b) promptly inform the other ~~unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ party about the ~~impact~~ receipt of any ~~such Security Incident. In~~ data subject request; (c) provide the ~~event that Recipient receives~~ other party with reasonable assistance in complying with any data subject request; (id) not disclose or release any shared personal data in response to a data subject request without first consulting the other party wherever possible; (e) assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify the other party without undue delay on becoming aware of any breach of ~~its rights under Privacy Laws in relation~~ the Data Protection Legislation; (g) at the written direction of the data discloser, delete or return shared personal data and copies thereof to ~~Personal Data~~ the data discloser on termination of this Agreement unless required by law to store the personal data; (~~including its rights of access, correction, objection and erasure); and (ii~~h) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ use compatible technology for the processing of ~~Personal~~ shared personal data to ensure that there is no lack of accuracy resulting from personal data transfers; (i) maintain complete and accurate records and information to demonstrate its compliance with this Clause 5 and; (j) provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data ~~(collectively~~Protection Legislation, ~~"Correspondence")~~including the procedures to be followed in the event of a data security breach, ~~it shall promptly inform Provider~~ and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside regular review of the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in~~ parties' compliance with the ~~Privacy Laws. Such measures may include transferring the~~ Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Appears in 1 contract

Sources: Recruitment Services Agreement

Data Protection. 3.2.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ Parties’ attention is drawn to the ~~General~~ Data Protection ~~Regulation~~ Act 1998, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (~~EU)2016/679 and applicable complementing national laws (jointly~~ the “~~Privacy Laws~~Data Protection Requirements”). The ~~parties are independent controllers~~ End-User acknowledges that Royal Mail is the data controller in respect of ~~their processing operations performed with such Personal~~ any personal data in the Data. ~~Taking into account~~ Royal Mail and the ~~state~~ Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the ~~art~~Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under the Data Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that it shall: 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; 3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the personal data within the Data from data subjects, the ~~costs of implementation and~~ Information Commissioner or any other law enforcement authority, for Royal Mail to resolve; 3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, in relation to the ~~nature~~personal data within the Data, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for~~ with the rights ~~and freedoms~~ of data subjects, ~~Recipient will maintain appropriate technical and organizational measures in such a manner~~ including subject access rights, or with information notices served by the Information Commissioner; and 3.2.1.4 ensure that ~~processing~~ if, during the term of ~~Personal~~ this Licence Agreement, it intends to make any transfers of personal data within the Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ which are not European Commission Approved Transfers, then it shall, prior to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such ~~Security Incident. In~~ transfer, obtain Royal Mail’s consent and at the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~End- User’s own cost provide such further information and sign such further documents, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ agreements or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith deeds as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Royal Mail may require to ensure the ~~transfer is~~ adequate protection of the personal data. data” and “processing” shall have the meanings ascribed to them in ~~compliance with the Privacy Laws. Such measures may include transferring~~ the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Act 1998.

Appears in 1 contract

Sources: Data Download Licence

Data Protection. ~~The parties acknowledge~~ 15.1 MarketAxess shall maintain any valid and up-to-date registration or notification required under the Data Protection Legislation. For the purposes of this Agreement, the Parties agree that ~~personal data may be transferred~~ when processing Personal Data contained in the Subscriber Data, Subscriber is a Controller and MarketAxess is a Processor. 15.2 MarketAxess shall, when acting as Processor for Subscriber: (a) only process any Personal Data contained in the Subscriber Data as provided for under this ~~agreement~~ Agreement, unless required to process that Personal Data for other purposes by Applicable Law; and (~~“Personal Data”~~b) ~~and each party will fully comply with its respective obligations~~ provide reasonable assistance to Subscriber to respond to requests from individuals exercising their rights under ~~the General~~ Data Protection ~~Regulation~~ Legislation; and (~~EU)2016/679~~ c) provide reasonable assistance to Subscriber to conduct privacy impact assessments (and ~~applicable complementing national laws (jointly “Privacy Laws”)~~any related consultations) where required under Data Protection Legislation. ~~The parties are independent controllers~~ If this requires MarketAxess to take additional steps beyond those directly imposed on MarketAxess by Data Protection Legislation, Subscriber shall pay MarketAxess for the reasonable costs of ~~their~~ taking those additional steps. 15.3 Subscriber agrees and acknowledges that MarketAxess’ processing ~~operations performed with such~~ of any Personal ~~Data. Taking into account~~ Data may involve the ~~state~~ transfer of Personal Data to MarketAxess Group companies and third party suppliers or sub-contractors outside the European Economic Area only for the provision of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Services to Subscriber. 15.4 MarketAxess shall implement appropriate technical and ~~organizational~~ organisational measures to protect any Personal Data contained in ~~such a manner that processing~~ the Subscriber Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. That shall include: (a) ensuring any of its employees or agents or other persons to whom it provides access to Personal Data are obliged to keep it confidential; and (b) offering the ability for the Subscriber to select the use of pseudonymisation and request encryption of Personal Data ~~will meet~~ contained within Subscriber Data, where appropriate and practicable in accordance with and subject to MarketAxess’ functionalities; and (c) measures to ensure the ~~requirements~~ ongoing confidentiality, integrity and resilience of the ~~Privacy Laws. Recipient agrees to notify Provider within~~ System; and (d) a ~~period~~ process for regularly testing, assessing and evaluating the effectiveness of ~~48 hours where Recipient becomes aware~~ technical and organisational measures for ensuring the security of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal ~~Data (collectively~~Data. 15.5 Without limiting Clause 11.5, ~~"Correspondence")~~on the expiry or termination of this Agreement and at the option of Subscriber, it MarketAxess shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer return or delete any Personal Data contained in the Subscriber Data unless otherwise required to ~~a territory outside~~ keep copies under Applicable Law. 15.6 At the request of ~~the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in~~ Subscriber, MarketAxess shall, at Subscriber’s cost, provide evidence of its compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Clauses 15.2, 15.4 and 15.5. 15.7 MarketAxess shall promptly notify Subscriber (in accordance with ~~Privacy Laws; or~~ Applicable Law) if: (a) any data subject makes a written request to ~~a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort~~ have access to ~~identify individuals who are or may be the donors of the Original Material and may not combine~~ Personal Data or ~~results~~ any complaint or request relating to Subscriber’s obligation under the Data Protection Legislation; or (b) it becomes aware of any loss, damage, destruction, or unauthorised processing or accidental disclosure of Personal Data. 15.8 Subscriber shall ensure that it has obtained all necessary consents and permissions to permit MarketAxess to use and process any Personal Data in accordance with the ~~Project~~ terms of this Agreement. 15.9 Subscriber shall, at all times, comply with ~~other data which may result~~ its obligations under the Data Protection Legislation and shall not perform its obligations under this Agreement or otherwise conduct itself in ~~identification~~ such a way as to cause MarketAxess to breach any of ~~a donor~~its obligations under this Clause 15 or any applicable Data Protection Legislation.

Appears in 1 contract

Sources: Master Agreement for Supply of Services

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol of these Call-off Terms and Conditions, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 1 contract

Sources: Framework Agreement

Data Protection. The parties ~~acknowledge~~ agree that ~~personal data~~ in respect of: University Personal Data, the University shall be the Controller and the Provider shall be the Processor; and Provider Personal Data, Provider shall be the Controller and the University shall be the Processor. Each party shall comply with DP Laws and its relevant obligations as Processor and Controller under this Agreement. The Processor shall procure that any Sub-Processor that has access to Protected Data shall comply with the Processor’s obligations under this Agreement. The processing to be carried out by the Processor under this Agreement is for the purpose of enabling the Provider to carry out the Project for the Term. The Personal Data includes: (i) the University’s employee names and email addresses; (ii) the Provider’s employees names, email addresses and copies of their CV’s; and (iii) any other Personal Data which may be ~~transferred~~ included on project reports provided by the Provider to the University. Where the Processor processes Protected Data on behalf of Controller, the Processor shall (and shall procure that any person acting under its authority who has access to Protected Data): process the Protected Data only on and in accordance with Controller’s documented instructions as set out in this ~~agreement~~ clause 15 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsProcessing Instructions”); and immediately inform Controller of any legal requirement under applicable law that would require the Processor to process the Protected Data otherwise than only on the Processing Instructions, or if any Controller instruction infringes DP Laws. The ~~parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~Processor shall implement and maintain, ~~the costs of implementation~~ at its cost and ~~the nature~~expense, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ appropriate technical and ~~organizational~~ organisational measures in ~~such a manner that~~ relation to the processing of ~~Personal~~ Protected Data by the Processor: such that the processing will meet the requirements of DP Laws and ensure the ~~Privacy~~ protection of the rights of Data Subjects; and so as to ensure a level of security in respect of Protected Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed. Without prejudice to clause 15.5.2, the Processor shall, in respect of all Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in DP Laws, all relevant Controller policies and in this Agreement. ~~Recipient agrees~~ The Processor shall not engage another Processor to ~~notify Provider within~~ perform specific processing activities in respect of the Protected Data without Controller’s prior written consent and, if the Controller gives its consent, the Processor shall appoint the Sub-Processor under a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing binding written contract (a “~~Security Incident~~Processor Contract”) which imposes the same data protection obligations as are contained in this Agreement on the Sub-Processor, in particular under clause 15.5 and the conditions in this clause 15.7 for engaging another Processor. The Processor shall ensure that Processor personnel processing Protected Data are under an obligation to keep Protected Data confidential, and take all reasonable steps to ~~mitigate~~ ensure that the ~~impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Processor personnel processing Protected Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection~~ receive adequate training on compliance with ~~the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ this clause 15 and the ~~parties~~ DP Laws applicable to the processing. The Processor shall ~~cooperate~~ implement and maintain, at its cost and expense, appropriate technical and organisational measures to assist the Controller in ~~good faith as necessary~~ the fulfilment of Controller’ obligations to respond to ~~such Correspondence~~ Data Subject Requests relating to Protected Data, including to ensure that all Data Subject Requests it receives are recorded and ~~fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ then referred to the ~~processing~~ Controller within three (3) days of ~~Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ receipt of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorrequest.

Appears in 1 contract

Sources: Call Down Framework Agreement

Data Protection. ~~The~~ Each of the parties ~~acknowledge that personal data may be transferred~~ shall in the course of performing its obligations under this ~~agreement~~ Agreement comply with the provisions of the Applicable Data Protection Legislation. For the purposes of this Clause 14, the parties agree and acknowledge that: whilst the factual arrangement between the parties dictates the classification of each party as a ‘Controller’ or ‘Processor’ under the Applicable Data Protection Legislation, the parties anticipate that the Customer shall be the Controller and Swiss Post Solutions shall be the Processor where Swiss Post Solutions is processing Personal Data in connection with its provision of the Services; the description provided in Schedule [11] (“Data Protection Particulars) is an accurate description of the Data Protection Particulars; Swiss Post Solutions may have access to Personal Data (including ‘sensitive’ or ‘special categories’ of Personal Data”) ~~and each party will fully comply with~~ in its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state provision of the ~~art~~Services. Where Swiss Post Solutions processes Personal Data as a Processor on behalf of the Customer, Swiss Post Solutions shall: process the ~~costs~~ Personal Data only in accordance with the terms of ~~implementation~~ this Agreement and the ~~nature, scope, context and purposes~~ documented instructions of ~~processing as well as~~ the ~~risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Customer; implement appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; ensure that all individuals who it permits to process Personal Data are bound by enforceable obligations of confidentiality; save where such countries have been deemed by the European Commission to be providing an adequate level of protection pursuant to the relevant provisions of the Applicable Data Protection Legislation, not transfer Personal Data outside the European Economic Area without the written instructions of the Customer. Notwithstanding the foregoing, Swiss Post Solutions is expressly permitted and instructed by the Customer that it may transfer Personal Data to any other Swiss Post Solutions Group Member and any other third parties, subject to first ensuring that adequate protections are in place to protect the Personal Data consistent with the requirements of the ~~Privacy Laws. Recipient agrees to~~ Applicable Data Protection Legislation; notify ~~Provider within a period of 48 hours where Recipient~~ the Customer without undue delay if it becomes aware of ~~or reasonably suspects that~~ a Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Breach in relation to Personal Data ~~(including its rights~~ processed pursuant to this Agreement; taking into account the nature of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ the processing ~~of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ and the ~~parties shall cooperate~~ information available to Swiss Post Solutions and the price paid by the Customer, assist the Customer in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ ensuring the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in Customer's compliance with the ~~Privacy Laws. Such measures may include transferring~~ Customer's obligations under the Applicable Data Protection Legislation in relation to ~~a country that the European Commission has decided provides adequate protection for personal data;~~ Personal Data processed pursuant to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this Agreement:

Appears in 1 contract

Sources: Service Agreement

Data Protection. ~~The parties acknowledge~~ 15.1 Notwithstanding the remaining provisions hereof, each of Absa and Supplier hereby warrants and represents to the other that ~~personal data~~ in the event that they Process any Personal Data, they will comply with Personal Data Protection Act, 2022 and its Regulations and such compliance will include, but not be limited to, maintaining a valid and up to date registration or notification (where applicable) under the Personal Data Protection Act, 2022. 15.2 Each of Absa and the Supplier hereby warrants and represents to the other that they have collected all necessary consents and done all such things as may be ~~transferred~~ required under the Data Protection Legislation and any other applicable law relating to the protection of privacy, for the transfer of the Personal Data to the other party for the purposes of the other party Processing it as contemplated by this ~~agreement (“~~Agreement. 15.3 The Supplier will not process, transfer or permit access to any Personal Data outside the jurisdiction within or from which the Supplier's obligations are being performed or the Personal Data is being processed save to the extent notified to Absa in writing in advance and in compliance with all Data Protection Legislation and any other applicable law relating to the protection of privacy or the access to information. 15.4 The Supplier will notify Absa promptly and in any event within twenty-four hours of becoming aware of any actual, suspected or alleged loss, leak or unauthorised Processing of any Personal Data”. 15.5 The Supplier will notify Absa promptly upon receiving a request for information made in terms of the Personal Data Protection Act, 2022, claim, complaint or allegation relating to Absa’s compliance with the Data Protection Legislation in relation to the Personal Data (the Enquiry) and ~~each party~~ the Supplier will ~~fully comply~~ provide Absa with ~~its respective obligations under~~ all such assistance in dealing with and responding to such Enquiry as Absa will reasonably request, provided always that the ~~General~~ Supplier will not take any other action in relation to any such Enquiry without the prior written authorisation of Absa. 15.6 The Supplier will implement appropriate technical and organisational measures to protect Personal Data ~~Protection Regulation (EU)2016/679~~ against unlawful processing and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ against accidental loss, destruction, damage, alteration or disclosure of ~~their processing operations performed with such~~ the Personal Data. ~~Taking into account~~ Such measures will be appropriate to the ~~state of~~ harm that might result from unauthorised or unlawful Processing or accidental loss, destruction or damage to Personal Data and to the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing nature of Personal Data to be protected and will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take include taking reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of ~~any such Security Incident.~~ employees having access to the Personal Data. 15.7 In the event that ~~Recipient receives (i)~~ a third party processes any ~~request from a data subject~~ Personal Data on behalf of the Supplier, the Supplier will procure compliance by such third party with the Data Protection Legislation. 15.8 Any other applicable law relating to ~~exercise any~~ the protection of ~~its rights under Privacy Laws~~ privacy or the access to information and with the terms of this letter and, as between Supplier and Absa, the Supplier will be responsible for the acts or omissions of such third party in relation to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry~~ such processing as though they were the Supplier’s acts or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donoromissions.

Appears in 1 contract

Sources: Purchase Agreement

Data Protection. 12.1 The ~~parties acknowledge that~~ Consultant shall not either during or after the termination of this Agreement without limit in point of time divulge or communicate to any person or persons except to those staff of LJMU whose province it is to know the same any personal ~~data~~ data, as defined in the Data Protection Act 1998 (and including, but without limitation, any sensitive personal data) relating to any living identifiable person or persons in whole or part or in any form which the Consultant may ~~be transferred under~~ receive in connection with or for the purposes of any arrangements made by or pursuant to this ~~agreement~~ Agreement (in this clause 9 “Personal Data”) and ~~each party will fully comply with its respective obligations under~~ shall not (save for such purposes) process, use reproduce or disclose any Personal Data unless authorised by legislation or by the ~~General Data Protection Regulation (EU)2016/679~~ express written consent of LJMU and ~~applicable complementing national laws (jointly “Privacy Laws”)~~on such terms as LJMU may specify. The ~~parties are independent controllers~~ Consultant shall procure that its employees and agents (and for the avoidance of ~~their~~ doubt, the Personnel) shall observe the provisions of this clause. 12.2 The Consultant shall take appropriate security measures in respect of all Personal Data in its possession or control. 12.3 Where the Consultant processes Personal Data on behalf of LJMU, the Consultant shall: 12.3.1 immediately at the request of LJMU stop processing ~~operations performed with such~~ all or any Personal Data~~. Taking into account the state of the art~~, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or confirm any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws disclosures made in relation to Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in ~~connection~~ accordance with the ~~processing~~ terms of ~~Personal Data~~ this Agreement (~~collectively~~and provide copies, ~~"Correspondence")~~if required) and assist LJMU in responding to any enquiry by the Information Commissioner; 12.3.2 Unless otherwise agreed in writing, it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any only process Personal Data to the extent and in such a ~~territory outside~~ manner as is necessary for the provision of the ~~European Economic Area~~ Services or as is required by law; 12.3.3 Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure; 12.3.4 promptly notify LJMU if the Consultant receives a request from a Data Subject (~~"EEA"~~being an individual who is the subject of Personal Data) ~~unless it has taken~~ to have access to Personal Data, or any other request or complaint relating to LJMU’s obligations under the Data Protection Act, and provide full co-operation and assistance to LJMU in relation to any such ~~measures as are necessary~~ request or complaint; and 12.3.5 Permit LJMU or its duly authorised representative to ~~ensure~~ inspect and audit the ~~transfer~~ Consultant’s data processing activities under this Agreement, and comply with all reasonable requests or directions by LJMU to enable LJMU to verify and/or procure that the Consultant is in compliance with ~~the Privacy Laws. Such measures may include transferring the Data~~ its obligations under this Agreement. 12.4 The Consultant shall comply with all and any data protection legislation and mandatory regulations as required from time to time by law. 12.5 The Consultant shall indemnify LJMU against all liability loss damage and expense of whatsoever nature incurred or suffered by LJMU or any third party as a ~~country that the European Commission has decided provides adequate~~ result of any breach of any data protection ~~for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws;~~ legislation, regulations, codes of practice, guidance and requirements of government or ~~to a Recipient that has executed standard contractual clauses adopted or approved~~ governmental agency by the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be~~ Consultant (including the ~~donors~~ Personnel and employees and agents of the ~~Original Material and may not combine Data or results~~ Consultant). 12.6 The provisions of ~~the Project with other data which may result~~ this clause 9 shall continue in ~~identification~~ effect notwithstanding termination of ~~a donor~~this Agreement for any reason.

Appears in 1 contract

Sources: Framework Agreement for Photography Services

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ 11.1 Each Party shall, at all times, comply with its respective obligations under all applicable Data Protection Legislation in relation to all Personal Data that is processed under this Agreement. The Customer remains solely responsible for determining the purposes of the processing of Personal Data under the Agreement. 11.2 For the avoidance of doubt, the Parties acknowledge that where Data Protection Legislation applies, the Customer acts as the data controller and Nazka acts as the processor of the Personal Data to be stored, used or otherwise processed in the context of this Agreement as these terms are defined in the Data Protection Legislation. The Customer expressly agrees that ▇▇▇▇▇ is entitled to process Personal Data for the performance of this Agreement and/or any other future documented instructions from the Customer. 11.3 Nazka shall not disclose Personal Data to any third parties (i) other than subcontractors or third parties to whom such disclosure is necessary for the provision of the Services or (ii) unless and to the extent required by any competent authority. The Customer agrees that ▇▇▇▇▇ may engage other Processors where it deems this to be essential to the performance of its Services. Nazka shall inform the Customer of any intended changes concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes. To the extent that ▇▇▇▇▇ needs to disclose Personal Data to one or more of its subcontractors, it shall adopt appropriate contractual safeguards with these subcontractors in order to provide an adequate protection for the Personal Data which they process pursuant to this Agreement. In any event, ▇▇▇▇▇ shall take appropriate technical and organizational measures to avoid unauthorized use or disclosure of Personal Data. 11.4 Where ▇▇▇▇▇ will, as part of the performance of its Services hereunder, access, handle or use any Personal Data, it will: a) Comply with the Data Protection Legislation. b) Make available to the controller all information necessary to demonstrate this compliance with Data Protection Legislation and allow for and contribute to audits conducted by the controller or another auditor mandated by the controller; c) Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. d) Assist the Customer where feasible in ensuring compliance the Customer’s obligations pursuant to articles 32 and 36 of the General Data Protection ~~Regulation (EU)2016/679~~ Regulation e) Access, handle, and use such Personal Data only as needed in order to perform its Services under this Agreement or in order to comply with applicable ~~complementing national~~ laws ~~(jointly “Privacy Laws”). The parties are independent controllers~~ or court orders; f) Follow any reasonable instructions provided by the Customer relating to compliance with any laws, regulations or court orders applicable to the collection, use, and disclosure of ~~their processing operations performed with~~ Personal Data; g) Notify the Customer as soon as reasonably possible in the event of any breach of the security of such Personal Data. , and cooperate with the Customer in any post-breach investigation or remediation efforts; h) Notify the Customer as soon as reasonably possible in the event the Party is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any such Personal Data to any person other than the someone expressly approved to receive such Personal Data by the Customer; i) Return or destroy all such Personal Data as soon as reasonably possible upon the termination of this Agreement, or at any time during the term of this Agreement upon written instructions from the Customer; j) Not transfer the Personal Data to an entity established in a non-EEA country that does not ensure an adequate level of protection within the Data Protection Legislation. k) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of ~~data subjects~~natural persons, ~~Recipient will maintain~~ implement appropriate technical and ~~organizational~~ organisational measures ~~in such~~ to ensure a ~~manner that processing~~ level of ~~Personal Data will meet~~ security appropriate to the ~~requirements~~ risk. l) At the choice of the ~~Privacy Laws. Recipient agrees~~ Customer, delete or return all personal data to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the ~~impact of any such Security Incident. In~~ Customer after the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside end of the ~~European Economic Area ("EEA")~~ provision of services relating to the processing, as well as deleting existing copies unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for Union or Belgian law requires storage of personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Appears in 1 contract

Sources: Software as a Service Agreement

Data Protection. (a) The ~~parties~~ Parties acknowledge that ~~personal data may~~ if any Recipient operates under the authority of any financial services related Governmental Authority (the “Banking Recipient”), it will be ~~transferred under this agreement~~ subject to the applicable rules and regulations of such Governmental Authority. Any information related to identified or identifiable clients of the Banking Recipient (“~~Personal~~ Client Data”) shall in any case be considered Confidential Information of the Banking Recipient, and ~~each party will fully~~ the Banking Recipient may, notwithstanding any other provision of this Clause 11, share Confidential Information with its regulators, auditors and competent public authorities, provided it requests confidential treatment. (b) The Supplier of the Banking Recipient (the “Banking Supplier”) acknowledges and accepts that with regard to Client Data of such Bank it is subject to the same professional secrecy obligations as the Banking Recipient. The Banking Supplier agrees to comply with such obligations and undertakes and warrants that its ~~respective~~ employees, contractors and consultant third parties, who may have access to such Client Data, (i) will comply with such obligations ~~under~~ and in particular maintain strict confidence with regard to any Client Data, not to permit any unauthorized person or system to access Client Data, and in particular comply with any security standards required or recommended by a Government Authority or by Applicable Law; (ii) will not transfer or make any Client Data available to any person or system outside of the ~~General~~ United States, or permit any person or system outside of the United States to access any Client Data located in the United States, unless expressly permitted by the Banking Recipient in writing in each case; (iii) sign a confidentiality and data protection declaration reasonably requested by the Banking Recipient before being granted access to its Client Data; (iv) will have successfully passed any background and security checks reasonably requested by the Banking Recipient before being granted access to Client Data and periodically thereafter; and (v) will be immediately refused access to Client Data or systems managing Client Data upon the Banking Recipient’s request or if the Banking Supplier concludes that they may not be complying with the foregoing professional secrecy obligations. The Banking Supplier will on an ongoing basis monitor compliance with the foregoing, adequately log access to Client Data and provide the Banking Recipient with any reasonably requested documentation or other proof related to this clause. (c) The Parties to this Agreement undertake for themselves, their employees, contractors and consulted third parties and their Affiliates to be in compliance with Data Protection ~~Regulation~~ Legislation. (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The~~ d) To the extent that the Supplier processes Personal Data of third parties ~~are independent controllers~~ received from the Recipient in the context of ~~their processing operations performed with~~ Transitional Arrangements, such Personal ~~Data. Taking into account the state~~ Data shall be considered Confidential Information of the ~~art, the costs of implementation~~ Recipient and the ~~nature~~Supplier undertakes and warrants that it, ~~scope~~its employees and contractors will: (i) process such Personal Data of the Recipient only for the purposes, ~~context~~ and only as set forth by this Agreement and as instructed by the Recipient; (ii) not export such Personal Data to, or permit access from, any country other than the United States without prior written consent of the Recipient; (iii) delegate the processing of such Personal Data only with prior consent of the Recipient; (iv) promptly, subject to any Government Authority, report to the Recipient any breach or suspected data breach (including violation of this Clause 11) and provide the Recipient any reasonably requested assistance in relation thereto; (v) upon termination of the Agreement or upon the Recipient’s request return or delete any such Personal Data without keeping a copy; and (vi) provide any other assistance to the Recipient reasonably requested by the Recipient for the purposes of ~~processing as well as~~ data protection compliance, which may include the ~~risk~~ execution of ~~varying likelihood~~ separate data protection agreements; provided, that the handling of Personal Data in a manner consistent with the Pre-IPO Form shall be deemed to satisfy the requirements of this Clause 11.8(d). (e) Should a Party receive any legal process or other request from a regulator, prosecutor or other public authority to gain access to Personal Data or other Confidential Information of the other Party, it will immediately notify the other Party and ~~severity for~~ permit the ~~rights and freedoms of data subjects~~other ▇▇▇▇▇ to defend against such legal process or request (or, if not possible, defend against it in the other Party’s best interest). (f) The Recipient ~~will maintain appropriate~~ may, from time to time, verify or have verified the Supplier’s compliance with Clause 11.8(c) (including the Supplier’s technical and organizational measures ~~in such a manner that~~ to prevent unauthorized processing of Personal ~~Data will meet the requirements of the Privacy Laws~~Data) by an independent, reputable professional bound by an adequate confidentiality undertaking. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of Each Party shall bear its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party own costs in connection with ~~the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to~~ such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donoran audit.

Appears in 1 contract

Sources: Transitional Services Agreement (Synchrony Financial)

Data Protection. 17.1 The ~~parties~~ Parties herewith give each other permission to collect and process the other Party’s Personal Information and acknowledge that ~~personal~~ it understands the purpose for which it is required and for which it will be used. Personal Information will be as defined under the Protection of Personal Information Act, No 4 of 2013 (“POPI Act”). 17.2 The Parties further agree that a Party’s Personal Information will only be processed by the other Party to give effect to the Disclosing Purpose. Disclosing Purpose shall mean giving effect to the transaction as set out under this Agreement. 17.3 Each Party warrants that it is duly authorised to disclose the Personal Information to the other Party. 17.4 Only the Personal Information provided directly by a Party to the other Party will be collected and processed to give effect to the Disclosing Purpose. 17.5 The Parties may disclose the Personal Information to its service providers and shall ensure that it has agreements in place with such service providers to ensure that they comply with the privacy requirements set out hereunder and as required by the POPI Act. 17.6 The Parties will store the Personal Information securely, electronically and in a centralised data base, which, for operational reasons, will be accessible to all within the organisation of such Party on a need to know and business basis, save that where appropriate, some of the Personal Information may be ~~transferred under this agreement (“~~retained in hard copy. 17.7 Once the Personal ~~Data”)~~ Information of a Party is no longer required due to the fact that the purpose for which the Personal Information was held has come to an end and ~~each party~~ has expired, such Personal Information will ~~fully comply with~~ be safely and securely archived for such periods as may be required by any law applicable in South Africa. Thereafter such Party will ensure that such Personal Information is permanently destroyed. 17.8 The Parties shall be obliged to provide adequate protection for the Personal Information it holds and to stop unauthorized access and use of the Personal Information in its ~~respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~possession. The ~~parties are independent controllers of their processing operations performed with such~~ Parties will, on an on-going basis, continue to review its security controls and related processes to ensure that the Personal ~~Data~~Information remains secure. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures The Parties shall immediately notify each other if a breach in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access information security or any other ~~unlawful processing (~~applicable security safeguard occurs or where there are reasonable grounds to believe that the Personal Information has been accessed or acquired by any unauthorised person and remedy any breach of a ~~“Security Incident”)~~ security safeguard in the shortest reasonable time. 17.9 When a Party contracts with third parties, it will impose appropriate security, privacy and confidentiality obligations on them to ~~take reasonable steps~~ ensure that Personal Information that it remains responsible for, is kept secure. The Parties will ensure that anyone to ~~mitigate~~ whom it passes the ~~impact of any such Security Incident. In~~ Personal Information to agrees to treat the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection Information with the ~~processing~~ same level of protection as set out under this Agreement. 17.10 The Parties have the right to request a copy of the Personal ~~Data (collectively~~Information the other Party holds. To do this, ~~"Correspondence")~~the requesting Party must follow the procedure as set out under the PAIA and POPIA Manual of the Party holding such Personal Information and specify what information is required. 17.11 Each Party has the right to ask from the other Party to update, ~~it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond~~ correct or delete Personal Information provided to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorParty.

Appears in 1 contract

Sources: Transport Services Agreement

Data Protection. ~~The parties acknowledge~~ 18.1 Each of the Servicer and the Mortgages Trustee represents that ~~personal data may be transferred~~ as at the date hereof it has obtained, and that hereafter it will maintain, all appropriate notifications, permissions or other licences and authorities (if any) required under the DPA and (in the case of the Servicer) the CCA (in each case as amended or re-enacted) to enable it to perform its obligations under this ~~agreement~~ Agreement. The Mortgages Trustee represents that as at the date hereof it has applied for a licence under the CCA and that, after it has obtained such a licence it will maintain such licences to enable it to perform its obligations under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, the Servicer agrees and covenants that it will, if the Mortgages Trustee requires the Servicer to do so, take all reasonable steps to notify each Borrower that the Mortgages Trustee is a "data controller" (~~“Personal Data”~~as defined in the DPA) and provide each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed such Borrower with such details as the Mortgages Trustee shall reasonably request including but not limited to the Mortgages Trustee's contact details for the purposes of the DPA. 18.2 The Servicer agrees to Process the Personal ~~Data. Taking into account~~ Data to which this Clause 18 applies in accordance with the terms and conditions set out in this Agreement, and in particular the Servicer agrees that it (and any subcontractors it appoints pursuant to Clause 3.2 (Sub-Contracts)) shall: (a) in a manner consistent with the DPA and with any guidance issued by the UK Information Commissioner, implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful Processing or accidental loss, destruction or damage, and that having regard to the state of ~~the art, the costs of implementation~~ technological development and the ~~nature~~cost of implementing any measures, ~~scope~~such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, ~~context~~ destruction or damage and ~~purposes~~ to the nature of ~~processing as well as~~ the ~~risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of~~ Personal Data ~~will meet~~ to be protected; (b) ensure that each of its employees, agents and subcontractors are made aware of its obligations under this Agreement with regard to the ~~requirements~~ security and protection of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal ~~Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Data; (~~a “Security Incident”~~c) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ of its employees who have access to the ~~event that Recipient receives~~ Personal Data; (d) not divulge the Personal Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Mortgages Trustee except: (i) ~~any request from a data subject~~ to ~~exercise any~~ those of its ~~rights under Privacy Laws in relation~~ employees, agents and subcontractors who are required to process the Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the ~~processing~~ administration and/or management of the Loans in the Portfolio; (ii) in accordance with any existing permissions or consents which the Servicer has in relation to the Personal Data in its own right; or (~~collectively~~iii) as may be required by any law or regulation; (e) in the event of the exercise by Data Subjects of any of their rights under the DPA in relation to the Personal Data, ~~"Correspondence")~~perform (on behalf of the Mortgages Trustee) any obligations required in response to such exercise of rights, or (if unable to do so or if it ~~shall promptly~~ is otherwise necessary) inform ~~Provider~~ the Mortgages Trustee as soon as possible, and the ~~parties shall cooperate~~ Servicer further agrees to handle or to assist the Mortgages Trustee with handling all Data Subject information requests which may be received from any Data Subject in ~~good faith as necessary~~ relation to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ any Personal Data; (f) not perform any Processing or transfer the ~~processing of~~ Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory~~ outside of the ~~European Economic Area~~ United Kingdom except with the express prior written authority of the Mortgages Trustee; (~~"EEA"~~g) ~~unless it has taken such measures as are necessary~~ on reasonable notice, allow its Personal Data processing facilities, procedures and documentation to ~~ensure~~ be submitted for scrutiny by the ~~transfer is~~ Mortgages Trustee or its representatives in order to ascertain compliance with the ~~Privacy Laws. Such measures may include transferring~~ terms of this Agreement; and (h) in the ~~Data to~~ case of processing by a ~~country~~ sub-contractor of the Servicer: (i) ensure that the ~~European Commission has decided provides adequate protection for personal data~~sub-contractor's processing is carried out under a written contract imposing on the sub-contractor the same obligations as are imposed on the Servicer in this Clause 18.2; ~~to a Recipient~~ and (ii) ensure that ~~has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material~~ sub-contractor performs and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~observes these obligations.

Appears in 1 contract

Sources: Servicing Agreement

Data Protection. 9.1 The parties ~~acknowledge that~~ will observe all provisions of the relevant data protection laws and regulations, insofar as the violation of such provisions affects the interests of the other party and/or the data subject involved. This includes the obligation of the Client to duly inform involved data subjects about the processing of their personal data ~~may be transferred~~ by Ortus Telematics under the instruction of the Client. 9.2 Ortus Telematics shall only collect, process, store and use personal data, and the Resource Data, to the extent that such is necessary for the performance of this ~~agreement (“Personal Data”)~~ Agreement and ~~each~~ the improvement of the Ortus Insight Service. 9.3 The Client instructs Ortus Telematics to collect, process, store and use their Resource Data for the purpose as included under Clause 9.2 above. 9.4 The Client approves that Ortus Telematics is allowed to outsource the hosting of its data centers to a third party ~~will fully comply with~~ within the European Economic Area. Ortus Telematics warrants that such third party is legally bound to the relevant provisions of this Agreement and to its respective obligations under the ~~General~~ provisions of the data protection laws as a “Data Processor“ as defined in the European Data Protection ~~Regulation~~ Directive (~~EU)2016/679~~ 95/46/EC). 9.5 The Client may revoke its consent for the collection, processing, storage and ~~applicable complementing national laws~~ use of the Resource Data in relation to this Agreement at any time. Such revocation must be presented to Ortus Telematics in writing and shall not affect the Agreement and will leave the Client’s obligations (~~jointly “Privacy Laws”)~~including payment obligations) under the Agreement intact. The ~~parties are independent controllers~~ Client acknowledges that as a result of ~~their~~ such revocation Ortus Telematics may not be able to provide the Ortus Insight Service. 9.6 Ortus Telematics shall implement appropriate technical and organisational measures to protect any personal data collected under the Agreement against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing ~~operations performed with such Personal Data~~involves the transmission of data over a network, and against all other unlawful forms of processing. ~~Taking into account~~ Having regard to the state of the ~~art, the costs of implementation~~ art and the ~~nature~~cost of their implementation, ~~scope, context~~ such measures shall ensure a level of security appropriate to the risks represented by the processing and ~~purposes~~ the nature of ~~processing as well as~~ the ~~risk of varying likelihood and severity for~~ data to be protected. 9.7 The parties acknowledge that they have agreed that the ~~rights and freedoms of~~ Client will respond to enquiries from data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with governmental and/or judicial body concerning the processing of ~~Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ personal data by Ortus Telematics. The Client should have sufficient processes in ~~good faith as necessary~~ place to ~~respond to~~ handle such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorenquiries.

Appears in 1 contract

Sources: General Terms and Conditions

Data Protection. 12.2.1 The ~~parties~~ Parties acknowledge their respective duties under the Data Protection Legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. 12.2.2 To the extent that ~~personal data may be transferred~~ the Recipient is acting as a Data Processor on behalf of the CIOS LEP, the Recipient shall, in particular, but without limitation: (a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this ~~agreement~~ Agreement, and only in accordance with any instruction given by CIOS LEP under this Agreement; (“b) put in place appropriate technical and organisational measures against any unauthorised or unlawful processing of such Personal Data and/or Sensitive Personal Data”) , and ~~each party will fully comply with its respective obligations under~~ against the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ accidental loss or destruction of ~~their processing operations performed with~~ or damage to such Personal ~~Data. Taking into account~~ Data and/or Sensitive Personal Data having regard to the specific requirements in this Agreement, the state of ~~the art, the costs of implementation~~ technical development and the ~~nature, scope, context and purposes~~ level of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such~~ harm that may be suffered by a ~~manner that processing of~~ Data Subject whose Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ and/or Sensitive Personal Data ~~has been~~ is affected by such unauthorised or ~~may have been lost, damaged or subject to unauthorized internal or external access or any other~~ unlawful processing or by its loss, damage or destruction; (~~a “Security Incident”~~c) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data; (d) provide CIOS LEP with such information as CIOS LEP may reasonably require to satisfy itself that the Recipient is complying with its obligations under the Data Protection Legislation ; (e) promptly notify CIOS LEP of any ~~such Security Incident. In~~ requests for disclosure of or access to the ~~event~~ Personal Data and/or Sensitive Personal Data; (f) promptly notify CIOS LEP of any breach of the security measures required to be put in place pursuant to this clause 12.2.2; (g) ensure it does not knowingly or negligently do or omit to do anything which places CIOS LEP in breach of the obligations of CIOS LEP under the Data Protection Legislation; (h) to the extent that any CIOS LEP data is held and/or processed by the Recipient, the Recipient ~~receives~~ shall supply the CIOS LEP data to CIOS LEP as requested by CIOS LEP; (i) ensure that it is registered under the Data Protection Legislation and the registration covers any ~~request from a data subject to exercise any of its rights~~ processing required under ~~Privacy Laws in relation to~~ this Agreement. 12.2.3 The Recipient and CIOS LEP shall ensure that Personal Data ~~(including its rights of access, correction, objection~~ and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ Sensitive Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization safeguarded at all times in accordance with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorlaw.

Appears in 1 contract

Sources: Funding Agreement

Data Protection. ~~The~~ 8.1 Both parties ~~acknowledge that personal data may be transferred~~ will comply with all applicable requirements of the Data Protection Legislation. This clause 8 is in addition to, and does not relieve, remove or replace, a party’s obligations under ~~this agreement (“Personal Data”) and~~ the Data Protection Legislation. 8.2 Without prejudice to the generality of clause 8.1, each party will ~~fully comply~~ ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its ~~respective~~ obligations under this agreement: 8.3.1 process Personal Data in respect of which the ~~General~~ other party (“Controller Party”) is Data ~~Protection Regulation~~ Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (~~EU)2016/679 and applicable complementing national laws (jointly~~ “~~Privacy~~ Applicable Laws”). ~~The parties are independent controllers~~ Where the Processor Party is relying on laws of ~~their~~ a member of the European Union or European Union law as the basis for processing ~~operations performed with such~~ Personal Data~~. Taking into account the state of the art~~, the ~~costs~~ Processor Party shall promptly notify the Controller Party of ~~implementation and~~ this before performing the ~~nature, scope, context and purposes of~~ processing ~~as well as~~ required by the ~~risk of varying likelihood and severity for~~ Applicable Laws unless those Applicable Laws prohibit the ~~rights and freedoms of data subjects, Recipient will maintain~~ Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring confidentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data ~~(including its rights~~ can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of ~~access, correction, objection~~ the technical and ~~erasure~~organisational measures adopted by it)~~; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ confidential; and 8.3.4 not transfer any Personal Data ~~to a territory~~ outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: (~~"EEA"~~a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it ~~has taken such measures as are necessary~~ is a Legal Requirement to ~~ensure~~ store the ~~transfer is in~~ Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 8. 8.4 For processing of Personal Data in connection with this Agreement: the ~~Privacy Laws~~duration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant Company contact details, employees of the Company and the Individual or any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. ~~Such measures may include transferring~~ The Consultant Company confirms that it will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant Company will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.] 8.6 The Consultant Company will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant Company, the Individual or a Substitute of the Data ~~to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Appears in 1 contract

Sources: Consultancy Agreement

Data Protection. 7.1 The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ to the extent that Confidential Information provided to the Receiving Party comprises any Personal Data (as defined under ~~this agreement~~ the Irish Data Protection Acts 1988 and 2003 (~~“Personal Data”)~~ as amended, modified or consolidated or, on and ~~each party will fully comply~~ with effect from its ~~respective obligations under~~ effective date, the General Data Protection Regulation (~~EU)2016/679~~ EU) 2016/679 of the European Parliament and ~~applicable complementing national laws~~ the Council of 27 April 2016 (~~jointly~~ the “~~Privacy~~ GDPR”) as may be amended, re-enacted or re-instated from time to time and any implementing legislation (together, the “Data Protection Laws”)~~. The parties are independent controllers of their processing operations performed with~~ ) any such Personal ~~Data. Taking into account~~ Data which the ~~state~~ Disclosing Party, supplies or discloses to the Receiving Party pursuant to this Agreement and / or otherwise as part of the ~~art~~Proposed Transaction, shall be treated as set out in this Clause 7. 7.2 The Parties acknowledge that the Receiving Party may transfer Personal Data to its Affiliates. In such a case, the ~~costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ Receiving Party shall be directly liable for the ~~rights~~ observance and ~~freedoms~~ proper performance (and any omissions in that regard) by those of ~~data subjects, Recipient will maintain~~ its Affiliates who have received Personal Data of the terms and conditions of this Agreement and in particular this Clause 7. 7.3 The Receiving Party confirms that it has appropriate technical and ~~organizational~~ organisational measures required to protect against unauthorised access to, or accidental or unauthorised destruction, loss, alteration or disclosure of any Personal Data contained in ~~such a manner~~ the Confidential Information. 7.4 The Personal Data shall remain at all times the property of and in the ownership of the Disclosing Party (as applicable) and the Receiving Party shall have no rights whatsoever in respect thereof. 7.5 The Receiving Party warrants and undertakes that ~~processing~~ it shall: (a) comply with the Data Protection Laws and all other applicable data protection laws and guidance including (without limitation) applicable laws relating to accessing, use and onward disclosure, distribution, exporting, archiving, maintenance and storage of Personal Data ~~will meet~~ and with the ~~requirements~~ terms of this Agreement and process the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been or may have been lost, damaged or subject~~ only to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party extent strictly necessary in connection with the ~~processing~~ Proposed Transaction and in accordance with the Disclosing Party’s instructions from time to time; (b) subject to this Clause 7, not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Disclosing Party; (c) implement and maintain such technical and organisational security measures as may be required to comply with the applicable Disclosing Party’s data security obligations in the Data Protection Laws; (d) other than transfers of Personal Data ~~(collectively~~to the Disclosing Party or to other third parties specified by the Disclosing Party, ~~"Correspondence"), it~~ shall ~~promptly inform Provider and~~ not under any circumstances transfer the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory~~ outside of the European Economic Area unless authorised in writing to do so by the Disclosing Party; and (~~"EEA"~~e) ~~unless~~ enter into such other written agreement in respect of the processing or transfer of Personal Data as a Disclosing Party may require. 7.6 Upon expiry or termination of this Agreement, or upon the earlier written request of a Disclosing Party, the Receiving Party shall promptly either return or destroy all Personal Data disclosed to it by the Disclosing Party including any copies, notes or other materials containing such Personal Data and the Receiving Party shall if so requested in writing by the Disclosing Party, certify to the Disclosing Party that it has ~~taken~~ complied with this Clause 7. 7.7 The Receiving Party shall notify the Disclosing Party as soon as reasonably practicable and in any event within twenty-four (24) hours of: (a) any legally binding request for disclosure of Personal Data by a law enforcement regulatory body or other competent authority unless prohibited by law from doing so; (b) receiving any correspondence, notice or other communication whether orally or in writing from the relevant data protection regulator or any other regulator or person, relating to the Personal Data. 7.8 Where the Receiving Party receives a legally binding request for access to personal data by a law enforcement agency regulatory body on other competent authority, the Receiving Party will inform the Disclosing Party except where such ~~measures~~ disclosure is itself legally prohibited. The Receiving Party will reject any such request which is non-legally binding. 7.9 Without prejudice to the other provisions of this Clause 7 , if the Receiving Party or any of the Receiving Party’s employees or contractors becomes aware of any Data Protection Incident, or has commenced an investigation to assess whether there has been Data Protection Incident (an “Investigation”), then the Receiving Party shall promptly (but in any event within twenty-four (24) hours of, the earlier of (i): discovery of a Data Protection Incident; or (ii) commencement of an Investigation) notify the Disclosing Party by both telephone and by email. The Receiving Party shall, at no additional cost to the Disclosing Party, provide the Disclosing Party with all resources, assistance and cooperation as are required by the Disclosing Party in order for it to comply with its own contractual or legal obligations in respect of the data subjects (as defined in the Data Protection Laws). 7.10 The Receiving Party shall execute all such additional documents, give such assistance and do such acts and things as may in the opinion of any Disclosing Party be necessary or desirable in order comply with the Data Protection Laws. 7.11 Without prejudice to Clause 7.5(b), the Receiving Party shall not permit a third party to process Personal Data on its behalf unless the Receiving Party and the third party first enter into a written agreement which imposes the same obligations on the third party as are imposed on the Receiving Party under this Agreement and which also imposes the obligations that are required under Data Protection Laws. 7.12 The Receiving Party acknowledges and agrees that insofar as it processes Personal Data, comprised in the Confidential Information provided to the Receiving Party, it does so as a data controller in its own right and not as a data processor for the Disclosing Party. However, without prejudice to the foregoing to the extent that the Receiving Party acts as a data processor on behalf of the Disclosing Party, the Receiving Party shall in addition to the obligations set out in this Clause 7 and Clause 4.1: (a) inform the Disclosing Party if it is required to process the Personal Data by EU or member state law to which it is subject, prior to such processing, other than where that law prohibits the Disclosing Party from being informed on important grounds of public interest; (b) not appoint any sub-processors except pursuant to Clause 7.5(b); (c) taking into account the nature of the processing by the Receiving Party and the nature of the information available to it, assist the Disclosing Party in respect of data subject rights requests under Chapter III of the GDPR and assist the Disclosing Party in complying with its mandatory obligations under Articles 32 to 36 of the GDPR; (d) make available to the Disclosing Party all information necessary to ~~ensure the transfer is in~~ demonstrate its compliance with ~~the Privacy Laws. Such measures may include transferring the Data~~ its obligations under this Clause 7 and Clause 4.1, and shall allow for and contribute to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved audits, including inspections, conducted by the ~~European Commission. Recipient will not make any effort~~ Disclosing Party and/or its auditors, having regard to ~~identify individuals who are or may be~~ the ~~donors~~ Receiving Party’s obligations of confidentiality to third parties other than the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~Disclosing Party.

Appears in 1 contract

Sources: Non Disclosure Agreement

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to each Party shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where either Party is Processing Personal Data under or in connection with this contract as a Processor, the Parties shall comply with the Data Protection Protocol. Where the Parties are both Processing Personal Data under or in connection with this contract as Controllers, the Parties shall set out their rights and responsibilities in respect of such Personal Data in a document based on the model data sharing agreement at 0. The provisions of this paragraph 0 are additional to those set out in the Data Protection Protocol. Without prejudice to the generality of paragraph 0, when acting as a Controller HEE shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to the Provider for the duration and purposes of this contract. 72 12003202.279 NHSI ducation and T ing Contract v1 — published [INSERT DATE] Withc ut prejurd ce to e generality of paragraph 0, when acting as a Controller in with ▇ ▇▇▇▇▇▇▇▇▇▇ is contract th Provider shall: not t insfer any ~~such Security Incident. In~~ Per onal Data outside of the ~~event that Recipient receives (i)~~ UK without the prior written consent of ▇▇▇; ▇▇▇▇▇ ▇▇▇ in respo ding to any request from a ~~data subject~~ Data Subject to exercise ~~any of its~~ their rights under ~~Privacy Laws~~ the Data Com rotection Legi Nation and responding to consultations and inquiries from the Information iissioncr offs q or any other regulator; ▇▇▇ without u due delay on becoming aware of a Data Loss Event; and ensu that al contrct are c Qersof1unel who have access to or process Personal Data in ~~relation~~ connection with this bilged keep the personal data confidential Whe acting as a C 9troller, the Provider must obtain the prior written consent of ▇▇▇, cons such nt not to be u reasonably withheld or delayed, prior to appointing any third pros party as a sor of Person I Data under this contract. The rovider and EE shall ensure that Personal Data is safeguarded at all times in acco ance 'th the trans wring P sone is co ducted; nd (b stand rds for healthi aw, and this obligation will include (if transferred electronically) only ata (a) if essential, having regard to the purpose for which the transfer that is encrypted in accordance with any international data encryption are, and as otherwise required by those standards applicable to HEE uidance (this unde any Law and n includes, data transferred over wireless or wired networks, memory sticks held laptops, CDs and tapes). Wher, as a require ▇▇▇▇ ers as part of t ilnt of this contract, either Party is Processing Personal Data relating to an annual information governance assessment using the Data Security I .▇▇▇▇▇▇▇▇▇.▇▇▇.▇▇); compete and publist Services, that Party shall: & Proection Toolkit meet nomir the stars lards ii the relevant NHS Data Security & Protection Toolkit; direct'ate an aform and f rs or equivalei ▇▇▇ governance lead able to communicate with that Party's board of ts of dra loss regul am whom that governance body, who will be responsible for information governance incider reports' on in Party's board of directors or equivalent governance body will receive in adcIlion to the reps and b each oraonfid ements of the Data Protection Protocol, report all incidents of data loss ce in accordance with applicable Department of Health and Social Care and/o the NHS Engl nd and/or Health and Social Care Information Centre guidelines (which can b provided to t Provider by the HEE on request); put in lace a d main 4in policies that describe individual personal responsibilities for handling Persoal Data and a ly those policies rigorously; put in place and mai' lain agreed protocols for the lawful sharing of Personal Data with other NHS in rganisationsadadta(ais raepqpuriroepdriuantdee) rwthitihs cnoonnt-raNcHt;S organisations in circumstances whichsharing of that at all ▇▇▇▇ c mply w any information governance requirements and/or processes as may be setout in t Se e Specification; and 120322.279 NHS Education and Training Contract vl — published [INSERT DATE] comply with any new and/or updated requirements, Guidance and/or Policies notified to the Provider by HEE from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Subject to clause 14, the Provider shall indemnify and keep ▇▇▇ indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Provider's unlawful or unauthorised Processing (whether in breach of this contract or the Data Protection Legislation) or the destruction inaccessibility and/or damage to Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ for which the Provider is responsible in connection with ~~the processing~~ this contract. The requirements of ~~Personal Data (collectively~~this paragraph 0 are in addition to, ~~"Correspondence")~~and do not relieve, ~~it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective~~ remove or replace, a Party's obligations or rights under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Appears in 1 contract

Sources: NHS Education and Training Contract

Data Protection. ~~The parties acknowledge~~ 8.1 Each Party agree that in performing its obligations, it shall comply in all material respects with the provisions of the DPA, all statutory and regulatory provisions binding upon it and any applicable codes of practice and that it will remain, entitled under the DPA to receive, retain and disclose all personal data ~~may~~ relating to a Policyholder or otherwise. 8.2 All information received by one Party from the other shall be ~~transferred under~~ held in a secure state to no less a standard than the recipient secures its own information. 8.3 To the extent that the Agent acts as a data processor on behalf of RACMS and/or RACIL, for the purposes of any personal data processed by the Agent in connection with this ~~agreement (“Personal Data”) and each party will fully~~ Agreement, the Agent agrees to comply with ~~its respective~~ the obligations ~~under~~ placed on RACMS and/or RACIL by the ~~General Data Protection Regulation~~ seventh data protection principle set out in the DPA (~~EU)2016/679~~ the ‘Seventh Principle’). 8.4 The Agent agrees to use all reasonable efforts to assist RACMS and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ RACIL to comply with such ~~Personal Data~~obligations as are imposed on RACMS and/or RACIL by the DPA. ~~Taking into account~~ In particular, the ~~state~~ Agent agrees to immediately notify RACMS and/or RACIL (as the case may be), and to provide all reasonable and necessary assistance to RACMS and/or RACIL (as the case may be) in the following events: 8.4.1 receipt of any subject access request under Section 7 of the ~~art~~DPA in relation to this Agreement; 8.4.2 any accidental or unlawful destruction, ~~the costs of implementation and the nature~~accidental loss, ~~scope~~alteration, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing unauthorised disclosure or access of Personal Data ~~will meet~~ governed by this Agreement; 8.4.3 any breach by the ~~requirements~~ Agent, its employees, officers, agents or subcontractors of the ~~Privacy Laws. Recipient agrees~~ provisions of this Clause 8; or 8.4.4 any enquiry, investigation or enforcement proceeding relating to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ the Personal Data ~~has been~~ under this Agreement. 8.5 The Agent shall not disclose or ~~may have been lost, damaged~~ release any personal data in response to a subject access request or ~~subject to unauthorized internal or external access or any other unlawful processing (~~a ~~“Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any~~ request from ~~a data subject to exercise~~ any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator regulatory or other ~~third party in connection~~ governmental authority without first consulting with and obtaining the ~~processing~~ consent of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient RACMS. 8.6 The Agent shall not transfer ~~any Personal Data~~ personal data to ~~a territory~~ countries outside of the European Economic Area ~~("EEA") unless it has taken~~ without the prior written consent of RACMS. 8.7 The Agent agrees to provide all necessary notices and obtain all necessary consents from individuals whose personal data is passed by the Agent to RACMS and/or RACIL to satisfy the legal obligations on all Parties to obtain such ~~measures as are necessary~~ information fairly and lawfully under Principle 1 of the DPA. The Agent agrees to ~~ensure the transfer is in compliance~~ provide RACMS and/or RACIL with the ~~Privacy Laws. Such measures~~ opportunity to approve the nature and extent of any notices and/or consents provided to and/or obtained from the individuals in question. 8.8 The Agent shall indemnify each of RACMS and RACIL against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith by RACMS or RACIL (as the case may ~~include transferring~~ be) as a result of any breach of the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved DPA and/or this Clause 8 by the ~~European Commission. Recipient will not make any effort to identify individuals who are~~ Agent, its employees or ~~may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~agents.

Appears in 1 contract

Sources: Terms of Business Agreement (Toba)

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3, and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 1 contract

Sources: NHS Terms and Conditions for the Provision of Services

Data Protection. 13.1 The ~~parties acknowledge~~ Provider OR Each party shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data. 13.2 The Customer warrants to the Provider that ~~personal~~ it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement. 13.3 The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to this Agreement: (a) the Personal Data of data subjects falling within the categories specified in Section 1 of Schedule 3 (Data processing information) (or such other categories as may be ~~transferred~~ agreed by the parties in writing); and (b) Personal Data of the types specified in Section 2 of Schedule 3 (Data processing information) (or such other types as may be agreed by the parties in writing). 13.4 The Provider shall only process the Customer Personal Data for the purposes specified in Section 3 of Schedule 3 (Data processing information). 13.5 The Provider shall only process the Customer Personal Data during the Term and for not more than 30 days following the end of the Term, subject to the other provisions of this Clause 13. 13.6 The Provider shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to a third country under the Data Protection Laws), as set out in this ~~agreement (“~~Agreement or any other document agreed by the parties in writing. 13.7 The Customer hereby authorises the Provider to make the following transfers of Customer Personal Data”: (a) the Provider may transfer the Customer Personal Data internally to its own employees, offices and ~~each~~ facilities in jurisdiction(s), providing that such transfers must be protected by appropriate safeguards; (b) the Provider may transfer the Customer Personal Data to its third party ~~will fully comply with~~ processors in the relevant jurisdictions and may permit its ~~respective obligations under~~ third party processors to make such transfers, providing that such transfers must be protected by any appropriate safeguards identified therein; and (c) the ~~General~~ Provider may transfer the Customer Personal Data to a country, a territory or sector to the extent that the competent data protection authorities have decided that the country, territory or sector ensures an adequate level of protection for Personal Data, and the relevant data sovereignty laws may require. 13.8 The Provider shall promptly inform the Customer if, in the opinion of the Provider, an instruction of the Customer relating to the processing of the Customer Personal Data infringes the Data Protection ~~Regulation (EU)2016/679~~ Laws. 13.9 Notwithstanding any other provision of this Agreement, the Provider may process the Customer Personal Data if and to the extent that the Provider is required to do so by applicable ~~complementing national laws (jointly “Privacy Laws”)~~law. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 13.10 The ~~parties~~ Provider shall ensure that persons authorised to process the Customer Personal Data have committed themselves to confidentiality or are ~~independent controllers~~ under an appropriate statutory obligation of ~~their processing operations performed with such~~ confidentiality. 13.11 The Provider and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data~~. Taking~~ . 13.12 The Provider must not engage any new third party to process the Customer Personal Data without the prior specific or general written authorisation of the Customer. 13.13 As at the Effective Date, the Provider is hereby authorised by the Customer to engage, as sub-processors with respect to Customer Personal Data, the existing third party sub-processors 13.14 The Provider shall, insofar as possible and taking into account the ~~state~~ nature of the ~~art~~processing, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain take appropriate technical and ~~organizational~~ organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws. 13.15 The Provider shall assist the Customer in ensuring compliance with the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 13.15. 13.16 The Provider must notify the Customer of any Personal Data breach affecting the Customer Personal Data without undue delay and, in any case, not later than 24 OR 36 OR 72 hours after the Provider becomes aware of the breach. 13.17 The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with its obligations under this Clause 13 Page 11 and the Data Protection Laws. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 13.17, providing that no such ~~a manner~~ charges shall be levied with respect to the completion by the Provider (at the reasonable request of the Customer, not more than once per calendar year) of the standard information security questionnaire of the Customer. 13.18 The Provider shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that applicable law requires storage of the relevant Personal Data. 13.19 The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in respect of the compliance of the Provider's processing of Customer Personal Data with the Data Protection Laws and this Clause 13. The Provider may charge the Customer at its standard time-based charging rates for any work performed by the Provider at the request of the Customer pursuant to this Clause 13.19, providing that no such charges shall be levied where the request to perform the work arises out of any breach by the Provider of this Agreement or any security breach affecting the systems of the Provider. 13.20 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lostcarried out under this Agreement, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and then the parties shall ~~cooperate in good faith~~ use their best endeavours promptly to agree such variations to this Agreement as may be necessary to ~~respond to~~ remedy such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donornon-compliance.

Appears in 1 contract

Sources: Recruiter Terms & Conditions of Trade

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ 12.1. Each Party shall, at all times, comply with its respective obligations under all relevant data privacy legislation in relation to any personal data collected or processed in the ~~General~~ course of the performance of its obligations under this Agreement and more specifically set out in the relevant Order. We shall, in providing the Services, comply with our Privacy Policy relating to the privacy of the Customer Data ~~Protection Regulation~~ available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇.▇▇▇/privacy-statement/ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by us at our sole discretion. 12.2. If we process any personal data on your behalf when performing our obligations under this Agreement, you agree that the intention is that you shall be the data controller and we shall be a data processor for the purposes of the applicable data privacy legislation, and in any such case: 12.2.1. you acknowledge and agree that the personal data may be transferred or stored outside the EEA or the country where you and any other permitted users of the Supplies are located in order for us to provide the Supplies and carry out our other obligations under the Agreement; 12.2.2. you shall ensure that you are entitled to transfer the relevant personal data to us so that we may lawfully use, process and transfer the personal data in accordance with the Agreement on your behalf; 12.2.3. you shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 12.2.4. we shall process the personal data in accordance with the terms of this Agreement and any lawful instructions reasonably given by the Customer from time to time; 12.2.5. you agree that you will either accept our independent third party audit certification, or be satisfied with our responses to audit questionnaires relating to processing activities covered by this Agreement; and 12.2.6. we shall both take appropriate written consent. Each Party agrees that if it employs or engages any person contrary to the provisions of this Non-Solicitation Clause, the breaching Party shall pay to the damaged Party on demand a sum in liquidated damages equal to fifty per cent (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~50%) of such person's annual salary immediately prior to the time of leaving the employment of the relevant Party. The parties ~~are independent controllers of their processing operations performed with such Personal Data. Taking into account the state~~ confirm that this sum represents a genuine pre- estimate of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorParty's loss.

Appears in 1 contract

Sources: Customer Agreement

Data Protection. a) The ~~parties acknowledge that personal data may be transferred under this agreement (“~~Supplier shall maintain the Personal ~~Data”~~Information in strict confidence and shall not disclose the Personal Information to any third party. The Supplier is only permitted to process the Personal Information on behalf of the Customer for the specified purpose(s) and ~~each party will fully comply with its respective obligations under~~ shall not use the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ Personal Information except for the purposes of ~~their processing operations performed with such Personal Data. Taking into account~~ this Agreement. b) For the ~~state~~ avoidance of ~~the art~~doubt, the ~~costs of implementation and~~ Supplier will not use the ~~nature~~Personal Information for any marketing purposes nor make any attempt to contact the Customer’s clients, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access its staff or any other ~~unlawful processing (~~identifiable individual to whom the Personal Information relates. c) The Personal Information shall belong to the Customer and the Supplier shall therefore obtain no rights of any nature in the Personal Information. d) The Supplier acknowledges that data subject(s) will have the right at any time to request a ~~“Security Incident”)~~ copy of the Personal Information held by the Supplier and to have that Personal Information corrected if it is inaccurate. The Supplier warrants that the Personal Information provided pursuant to such requests shall be in an easily understandable format. e) The Supplier guarantees that it will remain strict security over the Personal Information and will preserve the integrity and confidentiality of the Personal Informational at all times. f) The Supplier confirms that adequate security measures and precautions are in place to protect the Personal Informational at all times in accordance with current UK data protection legislation and any relevant European Union data protection regulations or directives from time to time. g) The Supplier undertakes to comply with the provisions of the Data Protection Act 1998 (or any subsequent re-‐enactment or replacement data protection legislation) in respect of all Personal Information that will be passed on to them or processed by them during the course of this Agreement. h) The Supplier shall allow the Customer access to the Personal Information in its possession for the purpose of inspection of the files records documentation input and output materials and the media and storage facilities where they are located, all standby contingency and data back up/recovery facilities and files and all computer telephone and facsimile systems related to the foregoing provided that the Customer’s employees or agents agree to observe the confidentiality and security procedures implemented by the Supplier. i) The supplier will be responsible for maintaining visible audit trails to assist the Customer in checking unauthorized access attempts in respect of the Personal Information j) The Supplier shall not disclose or sub-‐contract the processing of the Personal Information without obtaining the express written permission of the Customer. k) The Supplier shall only employ such persons to receive and use the Personal Information who have been satisfactorily vetted for reliability, integrity and honesty. l) The Supplier shall disclose the Personal Information on a need-‐to-‐know basis only to those of its employees, agents, sub-‐contractors and consultants who have received proper training in the handling of Personal Information and who require access for the purposes described herein. Prior to disclosing the Personal Information or any portion thereof to such employees, agents, sub-‐contractors and consultants, the Supplier shall issue proper instructions requiring them to comply with the Supplier’s obligations herein to receive and treat the Personal Information as confidential and subject to non-‐disclosure on the same conditions as contained herein. m) The Supplier shall take ~~reasonable steps~~ immediate disciplinary action against any of its employees, agents, sun-‐ contractors and consultants who have failed to ~~mitigate~~ adhere to or ignore the ~~impact~~ procedures and restrictions in respect of the Personal Information set out herein. n) The personal Information shall not be mechanically copied or otherwise reproduced by the Supplier and shall not be altered or supplemented with other data without the express written consent of the Customer. o) The Supplier shall immediately advise the Customer of any suspected or actual breaches in respect of the Personal Information sent by the Customer. p) The Supplier shall, upon the request of the Customer, return the Personal Information and any copies thereof under the Supplier’s control or power. The Supplier shall destroy or dispose of the Personal Information only with the express written consent of the Customer. Such destruction or disposal shall be carried out in accordance with the Customer’s instructions and applicable statutory requirements regarding waste disposal. q) Without prejudicing the foregoing, the Personal Information shall at all times be given such ~~Security Incident~~protection by the Supplier as is given to its own confidential information. r) The Supplier warrants that it shall cease to process the Personal Information immediately if directed by the Customer or by a Court of Law. s) The Supplier warrants that it shall promptly amend or delete any Personal Information if directed to do so by the Customer of a Court of Law. t) This Agreement is binding upon the Supplier and its associated companies and associates. ~~In the event that Recipient receives (i) any request from a data subject to exercise~~ The Supplier shall neither assign any of its rights ~~under Privacy Laws in relation~~ and obligations to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii)~~ any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party nor transfer any of the Personal Information to any third party. u) The Supplier acknowledges that the Customer could be irreparably injured by a breach of this Agreement by the Supplier and shall be entitled to any remedies available at law. v) When handling any Personal Information, which is stored on Media, the Supplier shall ensure that it is transmitted or transported via a secure delivery method to minimize unauthorized interception and disclosure. w) All Media in ~~connection with~~ electronic form must be virus checked by the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ Customer and the ~~parties shall cooperate in good faith as necessary~~ Supplier will endeavour to ~~respond~~ ensure that no computer virus is introduced to ~~such Correspondence and fulfill their respective obligations under Privacy Laws~~the Customer’s computer equipment or systems by an act. ~~Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ Omission or negligence of the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is~~ Supplier, its employees, agents or sub-‐contractors in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors respect of the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~Personal Information.

Appears in 1 contract

Sources: Data Protection Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ 30.1 Each Party undertakes to comply with its ~~respective~~ obligations under the ~~General~~ Data Protection ~~Regulation~~ Legislation in relation to the Personal Data and neither Party shall put the other Party in breach of the Data Protection Legislation. 30.2 Without limiting Section 28, each Party shall provide to the other Party (~~EU)2016/679~~ on an on- request or proactive basis, as required) all relevant information, data, materials and assistance in its possession or control as necessary to enable the other Party to comply with its obligations under the Data Protection Legislation, including as such relate to the exercising of any rights under Data Protection Legislation by a Data Subject or the fulfilment of obligations relating to the notification of any Personal Data Breach. 30.3 To the extent that the manager acts as a data processor (as defined in the Data Protection Legislation) (only), it shall: (a) only provide Personal Data to any sub-contractor for the purposes of Processing by that sub-contractor with the prior written consent of the Client (such consent not to be unreasonably withheld, conditioned or delayed) and shall ensure that each sub- contractor is subject to contractual obligations as regards its Processing of that Personal Data which are equivalent to those set out in this Section 30.3; (b) Process any Personal Data only during the term of this Agreement, for the purpose of providing services in relation to the Portfolio (and otherwise performing its obligations) under this Agreement and at all times in accordance with the written instructions of the Client (including as set out in this Agreement), except to the extent that it is required to Process any Personal Data in any other way under applicable ~~complementing national laws~~ law (~~jointly “Privacy Laws”~~and in which case Cadro shall, to the extent permitted under the relevant applicable law, provide the Client with notice of that alternative Processing). ~~The~~ Cadro shall also inform the Client if, in Cadro’s opinion, any such instruction by the Client infringes any Data Protection Legislation; (c) permit access to Personal Data by its Personnel or authorised third parties ~~are independent controllers of their processing operations performed with~~ only if the person accessing such Personal ~~Data. Taking into account~~ Data is under appropriate confidentiality obligations and Cadro has taken reasonable steps to ensure the ~~state~~ reliability of the ~~art, the costs of implementation~~ relevant person; (d) have in place now and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ shall on a continuing basis take appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to keep Personal Data ~~will meet~~ confidential and secure and to protect Personal Data against accidental loss or unlawful destruction, alteration, disclosure or access; (e) on termination or expiry of this Agreement (and except as otherwise required under applicable law), delete or return to the ~~requirements~~ Client (as the Client elects) all Personal Data; (f) on reasonable request, make available to the Client copies of the ~~Privacy Laws~~information strictly required by the Client to enable the Client to assess Cadro's compliance with this Section 30.3. ~~Recipient agrees~~ Further, on reasonable notice and during Cadro’s usual business hours (and only to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject~~ the extent such audit is conducted without interruption to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"Cadro's business operations), it the Client or an auditor nominated by the Client shall ~~promptly inform Provider~~ be entitled to audit Cadro’s premises and Client-related computer systems once in any 12 month period for the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing purpose of ~~Personal Data identified by Provider. Recipient shall not~~ assessing Cadro's compliance with this Section 30.3; and (g) only transfer any Personal Data ~~to a territory~~ outside of the European Economic Area having in advance discussed and agreed with the Client (~~"EEA"~~such agreement not to be unreasonably withheld, conditioned or delayed) ~~unless~~ how such transfer is to be conducted in compliance with Data Protection Legislation. 30.4 In relation to all Personal Data provided by or on behalf of the Client to Cadro to Process as envisaged under this Agreement, the Client warrants to Cadro that the provision of such Personal Data is fair and lawful and, in particular and without in any way limiting the foregoing, that the Client has: (a) a valid justification under Data Protection Legislation for providing to Cadro such Personal Data for Cadro to Process as envisaged under this Agreement; and (b) provided all necessary privacy notices to and, if and to the extent necessary, obtained all consents from all relevant Data Subjects relating to the Processing by Cadro of such Personal Data so that Cadro’s Processing of it ~~has taken such measures~~ as ~~are necessary to ensure the transfer~~ envisaged by this Agreement is in compliance with ~~the Privacy Laws. Such measures may include transferring the~~ all Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Appears in 1 contract

Sources: Investment Management Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 36.1 In this ~~agreement (~~Agreement the terms “Personal Data”, “Data Processor”, “Data Subject”, “Process” and “Data Controller” are as defined in the Data Protection Act 1988 (“Act”) ~~and each party will fully~~ or the GDPR or other data protection legislation in force in the UK from time to time. Each Party shall comply with its respective obligations under the ~~General~~ provisions of the Act. 36.2 The Data ~~Protection Regulation (EU)2016/679~~ Controller shall be determined in accordance with the Act. 36.3 Insofar as ADAPTIMMUNE provides or otherwise makes available Personal Data to Catapult and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with~~ such Personal ~~Data. Taking into account~~ Data is Processed by Catapult, or if Catapult is required to Process Personal Data in connection with this Agreement; Catapult shall (a) keep such Personal Data strictly confidential; (b) only distribute to employees of Catapult to the ~~state~~ extent such employees require access to such Personal Data for the performance of the ~~art~~Agreement; (c) not transfer such Personal Data to any third party (including any sub-contractor) without the prior written approval of ADAPTIMMUNE; outside of the EU; (e) only transfer Personal Data outside of the EU with the prior written consent of ADAPTIMMUNE; (f) only Process the Personal Data for purposes authorised by ADAPTIMMUNE and in accordance with any instructions provided by ADAPTIMMUNE (and for clarity, any purpose set out in this Agreement will be deemed to meet this requirement to the ~~costs of implementation and the nature, scope, context and purposes of~~ extent processing ~~as well as the risk of varying likelihood and severity~~ is require for the ~~rights~~ performance of that purpose); and ~~freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in~~ (g) keep such ~~a manner that processing of~~ Personal Data ~~will meet~~ secure in accordance with the requirements of the ~~Privacy Laws~~Act and the principles articulated in the Act. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) Should Catapult receive any request from a ~~data subject to exercise any of its rights under Privacy Laws~~ Data Subject in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data provided by ADAPTIMMUNE, Catapult shall immediately pass on such Data Subject request to ~~a territory outside of~~ ADAPTIMMUNE. 36.4 To the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary~~ extent required under data protection legislation, each Party will permit and assist the other to ~~ensure the transfer is in compliance with the Privacy Laws~~carry out any privacy impact assessments or other data protection assessments reasonably required under data protection legislation. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved AGREED by the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be~~ parties through their duly authorised representatives on the ~~donors~~ date written at the start of this Agreement: SIGNED for and on behalf of: SIGNED for and on behalf of: Signature: /s/ ▇▇▇▇▇▇▇ ▇▇▇▇▇ Signature: /s/ ▇▇▇▇▇ ▇▇▇▇▇ Name: ▇▇▇▇▇▇▇ ▇▇▇▇▇ Name: ▇▇▇▇▇ ▇▇▇▇▇ Title: CBO Title: CEO A. Development and operation of ADAPTIMMUNE Manufacturing Process for the ~~Original Material~~ production of ADAPTIMMUNE Product B. Development and ~~may not combine Data or results of the Project with other data which may result in identification~~ operation of a ~~donor.~~multi-product manufacturing centre and its associated quality management system C. Development and operation of a supply and distribution chain

Appears in 1 contract

Sources: Collaboration Agreement (Adaptimmune Therapeutics PLC)

Data Protection. (a) The ~~parties acknowledge that personal~~ Company is compliant with all applicable data ~~may be transferred under this agreement (“Personal Data”)~~ protection laws and ~~each party will fully comply~~ has complied in all material respects with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all relevant requirements of the Data Protection ▇▇▇ ▇▇▇▇ and the Privacy ~~Laws. Recipient agrees to notify Provider within a period~~ and Electronic Communications (EC Directive) Regulations 2003 (including all binding codes of ~~48 hours where Recipient becomes aware of~~ practice and guidance issued by the UK Information Commissioner thereunder) (or ~~reasonably suspects that Personal~~ equivalent legislation applicable in other jurisdictions) (Data ~~has been or may have been lost~~Protection Legislation), ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ including (~~a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives~~ without limitation): (i) informing data subjects of the identity of the data controller, its nominated representative, the uses made of the data and any ~~request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data~~ potential disclosures and obtaining their consent (~~including its rights of access, correction, objection and erasure); and (ii~~if necessary) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the processing of ~~Personal Data~~ personal data; (~~collectively~~ii) having in place appropriate technical and organisational measures against the accidental or unauthorised destruction, ~~"Correspondence")~~loss, ~~it shall promptly inform Provider~~ alteration or disclosure of personal data and ~~the parties shall cooperate~~ procedures to ensure that unauthorised persons do not have access to any equipment used to process such data; (iii) having in ~~good faith as necessary~~ place appropriate systems to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer identify which individuals have instructed any ~~Personal Data to a territory outside~~ member of the ~~European Economic Area~~ Group that they do not wish to receive marketing information and comply with such instructions; (~~"EEA"~~iv) ~~unless it has taken such measures as are necessary~~ responding to ~~ensure~~ requests from data subjects for access to data held by it; and (v) the ~~transfer is~~ requirements relating to the registration of data controllers. (b) The Company operates fully in compliance with its data protection policies and data protection manuals (attached to the ~~Privacy Laws. Such measures may include transferring~~ Disclosure Letter). (c) No individual has claimed in writing to the Company, and as far as the Warrantors are aware no grounds exist for any data subject to make a valid claim for compensation from any member of the Group under the Data ~~to a country that the European Commission has decided provides adequate protection~~ Protection Legislation for ~~personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws;~~ loss or ~~to a Recipient that has executed standard contractual clauses adopted~~ unauthorised disclosure of data or ~~approved by the European Commission. Recipient will not make~~ for any ~~effort to identify individuals who are or may be the donors~~ contravention of any of the ~~Original Material and may not combine Data or results~~ requirements of the ~~Project~~ Data Protection Legislation. (d) The Company has not received a written notice or written allegation from either the Information Commissioner (or the equivalent in any applicable jurisdiction) or a data subject alleging non-compliance with the data protection principles or any other provisions of the Data Protection Legislation. (e) So far as the Warrantors are aware, the Company has in the 18 month period immediately preceding the date of this Agreement complied in all material respects with Payment Card Industry Data Security Standard, Payment Application Data Security Standard and all applicable Regulations concerning data ~~which may result in identification of a donor~~security.

Appears in 1 contract

Sources: Share Purchase Agreement (Stream Global Services, Inc.)

Data Protection. The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ in relation to: Personal Data processed by the Contractor in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Contractor shall be the sole Data Controller; and Personal Data, the processing of which is required by CGL or the Head Contractor for the purposes of quality assurance, performance management and contract management CGL, the Head Contractor and the Contractor will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations~~ . Where CGL or the Head Contractor requires information under clause 6.1.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Contractor shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of CGL or the ~~Privacy Laws~~Head Contractor, the Contractor shall provide such information in pseudonymised form where possible. ~~Recipient agrees to notify Provider within a period~~ Schedule 2 sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident~~Processing. In Each Party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the other Party, gives grounds to the other Party to terminate this Agreement with immediate effect. In relation to the Processing of any Personal Data, each Party shall: ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose; give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing; process the Personal Data only for the Agreed Purpose; not disclose or allow access to the Personal Data to anyone other than the Permitted Recipients; ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the care and handling of Personal Data; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including ~~its rights~~ obligations of ~~access~~confidentiality) which are no less onerous than those imposed by this Agreement; ensure that it has in place appropriate technical and organisational measures, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ to protect against unauthorised or ~~complaint received from a data subject, regulator or other third party in connection with the processing~~ unlawful Processing of Personal Data ~~(collectively~~and against accidental loss or destruction of, ~~"Correspondence")~~or damage to, it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ in accordance with Article 32 GDPR; not transfer any Personal Data ~~to a territory~~ outside of the European Economic Area unless the transferor ensures that (~~"EEA"~~i) ~~unless it has taken such measures as are necessary to ensure~~ the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission~~Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer; and assist the other Party (at its own cost) in responding to any request from a Data Subject and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office. ~~Recipient will~~ Each Party shall notify the other Party without undue delay on becoming aware of any Personal Data Breach under this Agreement. Each Party acknowledges that the Party is committed to eliminating all risk of bribery and corruption in its business relationships. Each Party acknowledges and agrees that the other Party shall not be under any obligation to carry out any action or make any ~~effort~~ omission under this Agreement to ~~identify individuals who are or may~~ the extent that it reasonably believes would be ~~the donors~~ in breach of ~~the Original Material~~ any Anti-Corruption Legislation. Each Party acknowledges and ~~may not combine Data or results of the Project with other data which may result~~ agrees that neither it nor any third party has breached any Anti-Corruption Legislation in ~~identification of a donor~~order for it to enter into this Agreement.

Appears in 1 contract

Sources: Service Level Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement~~ Where SurveyMonkey is processing Personal Data for Customer, SurveyMonkey will: (~~“Personal Data”~~a) only do so on documented Customer instructions and ~~each party will fully comply~~ in accordance with ~~its respective obligations under the General Data Protection Regulation (EU)2016/679 and~~ applicable ~~complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ law, including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data ~~will meet~~ to other jurisdictions or an international organization, and the ~~requirements~~ parties agree that these Terms of Use constitute such documented instructions of the ~~Privacy Laws. Recipient agrees~~ Customer to ~~notify Provider within a period~~ SurveyMonkey to process Customer Data; (b) to the extent applicable, for data transfers SurveyMonkey Europe UC relies upon the Standard Contractual Clauses and/or consent for personal data transfers to countries that do not have adequate levels of ~~48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost~~data protection as determined by the European Commission, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator United Kingdom or other ~~third party in~~ jurisdictions which approve and require Standard Contractual Clauses; connection with ~~the processing~~ Kingdom or with respect to any transfers of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside out of the European Economic Area ("EEA"), the United (c) ~~unless it has taken such measures as~~ other country requiring Standard Contractual Clauses, that may be required in relation to or in the Terms of Use and the provision of the Services hereunder, the parties shall comply with and be subject to all obligations LPSRVHG RQ D µGDWD LPSRUWHU¶ RUe r t heGStDanWdarDd CoHnt[racStuaRl UClaWusHesU; DV DSSURS (d) ensure that all SurveyMonkey personnel involved in the processing of Personal Data are subject to confidentiality obligations in respect of the Personal Data; (e) make available information necessary for Customer to ~~ensure the transfer is in~~ demonstrate compliance with its Article 28 obligations (if applicable to the ~~Privacy Laws~~Customer) where such information is held by SurveyMonkey and is not otherwise available to Customer through its account and user areas or on SurveyMonkey websites, provided that Customer provides SurveyMonkey with at least 14 days' written notice of such an information request; (f) cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject afforded to Data Subjects by Data Protection Legislation in respect of Personal Data processed by SurveyMonkey in providing the Services; provide assistance, where necessary with all requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services; (g) upon deletion, by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; (h) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; (i) not store Personal Data (in a format that permits identification of relevant Data Subjects) for longer than is necessary for the purposes for which the data is processed save to the extent such retention is required for legitimate business purposes (with respect to, for example, security and billing), in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes; (j) where required by Data Protection Legislation, inform Customer if it comes to 6XUYH\0RattQenNtioHn t\ha¶t aVny instructions received from Customer infringe the provisions of Data Protection Legislation, provided that notwithstanding the foregoing, SurveyMonkey shall have no obligation to review the lawfulness of any instruction received from the Customer. ~~Such measures~~ If this provision is invoked, SurveyMonkey will not be liable to Customer under the Terms of Use for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing; and (k) assist Customer as reasonably required where Customer (i) conducts a data protection impact assessment involving the Services (which may include ~~transferring the Data~~ by provision of documentation to allow customer to conduct their own assessment); or (ii) is required to notify a Security Incident (as defined below) to a ~~country that the European Commission has decided provides adequate protection for personal data; to~~ supervisory authority or a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other relevant data ~~which may result in identification of a donor~~subject.

Appears in 1 contract

Sources: End User Terms of Use

Data Protection. ‌ 21.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 21 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 21.2 The parties acknowledge that if ABP Consultancy processes any personal data ~~may be transferred~~ on the Client's behalf when performing its obligations under this ~~agreement~~ Agreement, the Client is the controller and ABP Consultancy is the processor for the purposes of the Data Protection Legislation. 21.3 Without prejudice to the generality of clause 21.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to ABP Consultancy for the duration and purposes of this Agreement so that ABP Consultancy may lawfully use, process and transfer the personal data in accordance with this Agreement on the Client's behalf. 21.4 Without prejudice to the generality of clause 21.1ABP Consultancy shall, in relation to any personal data processed in connection with the performance by ABP Consultancy of its obligations under this Agreement: 21.4.1 process that personal data only on the documented written instructions of the Client unless ABP Consultancy is required by the laws of any member of the European Union or by the Local Data Protection Legislation and any other law to which ABP Consultancy is subject in relation to the processing of personal data for the purposes of this Agreement (~~“Personal Data”~~Applicable Laws). Where ABP Consultancy is relying on Applicable Laws as the basis for processing personal data, ABP Consultancy shall ABP Consultancy: Master Services Agreement. promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit ABP Consultancy from so notifying the Client; 21.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 21.4.3 not transfer any personal data outside of the Permitted Data Area unless the following conditions are fulfilled: (a) the Client or ABP Consultancy has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and ~~each party will fully comply~~ effective legal remedies; (c) ABP Consultancy complies with its ~~respective~~ obligations under the ~~General~~ Local Data Protection ~~Regulation~~ Legislation including where so required by providing an adequate level of protection to any personal data that is transferred; and (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their~~ d) ABP Consultancy complies with reasonable instructions notified to it in advance by the Client with respect to the processing ~~operations performed with such Personal Data. Taking into account the state~~ of the ~~art~~personal data; 21.4.4 assist the Client, at the ~~costs of implementation and the nature~~Client's cost, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in ~~such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees~~ responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 21.4.5 notify the Client without undue delay and in any event within 2 Business Days on becoming aware of a personal data breach; 21.4.6 at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the personal data; ABP Consultancy: Master Services Agreement. 21.4.7 maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 23 and allow for audits by the Client or the Client's designated auditor and immediately inform the Client if, in the opinion of ABP Consultancy, an instruction infringes the Data Protection Legislation; and 21.4.8 indemnify the Client against any loss or damage suffered by the Client in relation to ~~Personal Data (including~~ any breach by ABP Consultancy of its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under ~~Privacy Laws. Upon Provider~~this clause 23. 21.5 The Client does not consent to ABP Consultancy appointing any third-party processor of personal data under this Agreement without the Client’s ~~request~~prior written consent. 21.6 Either party may, ~~Recipient~~ at any time on not less than 30 days' notice, revise this clause 21 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall ~~restrict~~ apply when replaced by attachment to this Agreement). 21.7 Without prejudice to the ~~processing~~ generality of ~~Personal Data identified by Provider. Recipient shall not transfer~~ clause 21.1ABP Consultancy shall 21.7.1 take reasonable precautions to preserve the integrity of any ~~Personal Data~~ data which it processes and to prevent any corruption or loss of such data; 21.7.2 make a ~~territory outside~~ backup copy of such data every week and record the copy on media from which the data can be reloaded if there is any corruption or loss of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Appears in 1 contract

Sources: Master Services Agreement

Common use of Data Protection Clause in Contracts