Appears in 4 contracts

Sources: Human Material Transfer Agreement for Non Academic Use, Human Material Transfer Agreement, Human Material Transfer Agreement

Data Protection. 18.1 The ~~parties acknowledge~~ Servicer and the Mortgages Trustee each represents that ~~personal data may be transferred~~ as at the date hereof it has and hereafter it will maintain all appropriate registrations, licences, consents and authorities (if any) required under ~~this agreement~~ the Data Protection ▇▇▇ ▇▇▇▇ together, with its ancillary legislation (~~“Personal Data”~~the DATA PROTECTION ACT) ~~and each party will fully comply with~~ to enable it to perform its respective obligations under this Agreement. In addition to the ~~General~~ foregoing and notwithstanding any of the other provisions of this Agreement, each of the Servicer and the Mortgages Trustee hereby agree and covenant as follows: (a) that only data that is not "personal data" (as described in the Data Protection ~~Regulation~~ Act) may be transferred by the Servicer to the Mortgages Trustee or any other entity located in Jersey (~~EU)2016/679 and applicable complementing national laws~~ unless: (~~jointly “Privacy Laws”). The parties are independent controllers~~ i) Jersey is determined, on the basis of ~~their processing operations performed with such Personal Data. Taking into account~~ Article 25(b) of Directive 95/46/EC, a third country which ensures an adequate level of protection of "personal data" by the ~~state of~~ European Commission or (ii) the ~~art, the costs of implementation~~ Servicer and the ~~nature, scope, context and purposes of processing~~ Mortgages Trustee have entered into a data transfer agreement in a form approved by the EC Commission as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet meeting the requirements of Article 26(2) of Directive 95/46/EC for the ~~Privacy Laws. Recipient agrees~~ transfer of personal data to ~~notify Provider within a period~~ third countries which do not ensure an adequate level of ~~48 hours where Recipient becomes aware of or reasonably suspects~~ protection (the STANDARD CONTRACTUAL CLAUSES) in which case, subject to Clause 18(e), the Servicer may transfer such personal data to the Mortgages Trustee in Jersey); (b) that ~~Personal Data~~ if, at the date at which circumstances enable the Mortgages Trustee to exercise its right to demand that the Servicer transfer inter alia personal data to the Mortgages Trustee, (i) Jersey has been determined, on the basis of Article 25(b) of Directive 95/46/EC a third country which ensures an adequate level of protection of personal data by the European Commission or ~~may~~ (ii) the Servicer and the Mortgages Trustee have ~~been lost~~entered into the Standard Contractual Clauses then, ~~damaged or~~ subject to ~~unauthorized internal~~ the CLAUSE 18(E), the Servicer shall transfer the relevant personal data to the Mortgages Trustee or ~~external access or any other unlawful processing~~ to its order; (~~a “Security Incident”~~c) ~~and~~ that the Servicer will, if the Mortgages Trustee requires the Servicer to do so, take all reasonable steps to ~~mitigate~~ notify each Borrower that the ~~impact~~ Mortgages Trustee is a "data controller" (as defined in the Data Protection Act) and provide each such Borrower with such details as the Mortgage Trustee shall reasonably request including but not limited to the Mortgages Trustee's contact details for the purposes of the Data Protection Act; (d) that the Servicer and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ Data Protection Act, the conditions stated in this CLAUSE 18 and for the sole purpose of administering and/or managing the Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country~~ Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987 and (so long as the provisions of the Data Protection Act do not conflict with the provisions of the Data Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987) with the provisions of the Data Protection Act; (f) that the ~~European Commission has decided provides adequate protection~~ Mortgages Trustee shall maintain a written record of its reasons for ~~personal data;~~ applying the Data Protection Order 2000/185 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of the Data Protection Act). 18.2 The Servicer will use all reasonable endeavours to ensure that, in the event of the appointment of a ~~Recipient that has achieved binding corporate rules authorization~~ sub-contractor in accordance with ~~Privacy Laws; or~~ CLAUSE 3.2 such sub-contractor shall obtain and maintain all appropriate registrations, licences, consents and authorities required (including, without limitation, those required under the Data Protection Act), and comply with obligations equivalent to ~~a Recipient that has executed standard contractual clauses adopted or approved by~~ those imposed on the ~~European Commission. Recipient will not make any effort~~ Servicer in this CLAUSE 18, to ~~identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~enable it to perform its obligations.

Appears in 3 contracts

Sources: Servicing Agreement (Permanent Financing (No. 5) PLC), Servicing Agreement (Permanent Financing (No. 6) PLC), Servicing Agreement (Permanent Mortgages Trustee LTD)

Data Protection. ~~The parties~~ 7.1 To the extent that Personal Data is processed using the Product, the Parties acknowledge that ~~personal data may be transferred under this agreement (“Personal Data”)~~ Bynder is a Data Processor and Customer is a Data Controller and each ~~party will fully~~ Party shall comply with ~~its~~ their respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artstatutory or regulatory data protection obligations. 7.2 Bynder, ~~the costs of implementation and the nature, scope, context and purposes of processing~~ as well as ~~the risk of varying likelihood~~ its subcontractors, licensors, and ~~severity for the rights~~ hosts, shall take sufficient and ~~freedoms of data subjects, Recipient will maintain~~ appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that~~ to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to Personal Data, having regard to the ~~requirements~~ state of technological development and cost of implementing any measures, to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage and the nature of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data to be protected. 7.3 Bynder shall process Personal Data in accordance with Customer’s instructions. Should Customer’s instructions contravene or appear likely to contravene legislation binding Bynder, Bynder will notify Customer and request alternative instructions not in contravention of such legislation. Bynder shall have no liability whatsoever for breaches of Data Protection Legislation that arise as a result of its following Customer’s instructions in implementing and supplying the Product. 7.4 Customer is fully responsible for its Customer Data and guarantees to Bynder that the content, use, and/or processing of the Customer Data are not unlawful and do not infringe the rights of any third party. 7.5 Customer shall ensure that all Personal Data that it supplies or discloses to Bynder has been obtained fairly and lawfully and that it will obtain all consents from Data Subjects and registrations with authorities that are required to permit Bynder to transfer Personal Data to third parties to fulfil its obligations under this Agreement. 7.6 Customer indemnifies Bynder against any claim of a third party, including Data Subjects, instituted for whatever reason in connection with its Customer Data or ~~may have been lost~~the performance of this Agreement. 7.7 If a third party alleges infringement of its data protection rights, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and~~ Bynder shall be entitled to take ~~reasonable steps~~ measures it deems necessary to ~~mitigate~~ prevent the ~~impact~~ infringement of ~~any such Security Incident. In~~ a third party’s rights from continuing. 7.8 Bynder shall have no liability whatsoever for the protection of Personal Data in the event that ~~Recipient receives (i) any request from~~ Customer uses a ~~data subject~~ Bynder Product to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to release such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to unauthorised persons, entities, or organisations. 7.9 Subject to applicable Data Protection Legislation, if a ~~territory outside~~ Data Subject submits a disclosure request to Customer to find out what of ~~the European Economic Area ("EEA")~~ their Personal Data Customer holds, and/or to obtain a copy of their Personal Data, Bynder shall inform Customer, unless ~~it has taken~~ prohibited by law, and will cooperate and invoice Customer on a time and material basis for any work conducted in fulfilling such ~~measures as are necessary~~ requests. Should Bynder be required by law to ~~ensure the transfer is in compliance with the Privacy Laws~~supply personal data to third parties, Subsection 4.6 shall apply. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.€

Appears in 3 contracts

Sources: Standard Terms of Service, Standard Terms of Service, Standard Terms of Service

Appears in 3 contracts

Sources: Legal Services Framework Agreement, Legal Services Framework Agreement, Legal Services Framework Agreement

Data Protection. ~~The parties acknowledge~~ 22.1 Each Consortium Member shall ensure that ~~personal data may be transferred~~ at all times it complies with its obligations under this ~~agreement~~ Agreement in manner so as to comply with the DPA and all relevant regulations relating to data protection. 22.2 Each Consortium Member warrants and represents that it has obtained all necessary registrations, notifications and consents required by the DPA to Process Personal Data for the purposes of performing its obligations under this Agreement. 22.3 Each Consortium Member undertakes that to the extent that it and/or any of its employees receives, has access to and/or is required to Process Personal Data on behalf of the GLA (“the GLA's Personal Data”) for the purpose of performing its obligations under this Agreement it will at all times act as if it were a Data Controller and ~~each party will fully~~ comply with ~~its respective obligations under~~ the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state provisions of the ~~art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ DPA for the ~~rights~~ time being in force. 22.4 Each Consortium Member shall at all material times have in place and ~~freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the GLA's Personal Data and any person it authorises to have access to any the GLA's Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the GLA's Personal Data. 22.5 Each Consortium Member shall allow the GLA to audit its compliance with the requirements of this Condition 22 on reasonable notice and/or, at the ~~Privacy Laws. Recipient agrees~~ GLA's request, provide the GLA with evidence of its compliance with the obligations within this Condition 22. 22.6 Each Consortium Member undertakes not to ~~notify Provider within a period of 48 hours where Recipient becomes aware of~~ disclose or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise transfer any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any GLA's Personal Data to ~~a territory outside~~ any third party without the prior written consent of the ~~European Economic Area ("EEA") unless it has taken~~ GLA save that without prejudice to Condition 22.3 each Consortium Member shall be entitled to disclose the GLA's Personal Data to employees to whom such ~~measures~~ disclosure is reasonably necessary in order for that Consortium Member to perform its obligations under this Agreement, or to the extent required under a court order. 22.7 Each Consortium Member agrees to use all reasonable efforts to assist the GLA to comply with such obligations as are ~~necessary~~ imposed on the GLA by the DPA. 22.8 Each Consortium Member shall indemnify the GLA against all claims and proceedings and all liability, losses, costs and expenses incurred in connection therewith by the GLA as a result of the destruction, damage or loss of the GLA's Personal Data processed by its employees, agents, or any breach of or other failure to ~~ensure the transfer is in compliance~~ comply with the ~~Privacy Laws. Such measures may include transferring~~ obligations in the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved DPA and/or this Condition 22 by the ~~European Commission. Recipient will not make any effort~~ Consortium Member, its employees, agents or sub- contractors. 22.9 Each Consortium Member undertakes to ~~identify individuals who are or may be~~ include obligations no less onerous than those set out in this Condition 22, in all contractual arrangements with agents engaged by it in performing its obligations under this Agreement to the ~~donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~GLA.

Appears in 3 contracts

Sources: Consortium Grant Agreement, Consortium Grant Agreement, Approved Provider Consortium Grant Agreement

Data Protection. 12.1 The ~~parties acknowledge~~ Company and the Customer agree that ~~personal data~~ for the purpose of Data Protection Legislation that the Customer shall be the Data Controller and the Company shall be the Data Processor in respect of any Personal Data which is transferred from the Customer to the Company under the terms of this Contract. 12.2 As a Data Processor the Company shall Process the Personal Data only to the extent necessary to perform its obligations pursuant to this Contract and/or in accordance with the Customer’s instructions from time to time, and shall not Process the Personal Data for any other purpose other than enabling it to fulfil its obligations pursuant to this Contract or to perform any other activity which may be ~~transferred under~~ authorised by the Customer from time to time. 12.3 Where a party is a Data Processor pursuant to this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Contract it shall take ~~reasonable~~ steps to ~~mitigate the impact of any such Security Incident. In the event~~ ensure that ~~Recipient receives (i) any request from a data subject to exercise any~~ its employees and agents are informed of its ~~rights under Privacy Laws~~ obligations in relation to Personal Data ~~(including~~ that it collects, transfers or holds, and its employees and agents shall Process such information in confidence and in accordance with all relevant Data Protection Legislation. 12.4 Each party warrants to the other that it will Process the other’s Personal Data in compliance with all applicable Data Protection Legislation. 12.5 Where a party to this Contract becomes a Data Processor pursuant to it, it warrants that in relation to the Personal Data in respect of which it is a Data Processor that: 12.5.1 having regard to the reasonably available state of the art of technological development, the nature of the Processing in question, the cost of implementation, and the material risk to the rights of ~~access~~affected Data Subjects, ~~correction~~the Data Processor will take appropriate technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful Processing and against the accidental loss or destruction; 12.5.2 it will assist the Data Controller, ~~objection and erasure); and (ii)~~ insofar as reasonably possible, in responding to any ~~other correspondence~~requests made by any relevant Data Subject which concern the exercise of that Data Subject’s rights under the GDPR, ~~inquiry or complaint received from a data subject~~subject to Data Controller reimbursing it for the cost of the same; 12.5.3 it will notify the Data Controller, ~~regulator or other third party in connection with~~ insofar as reasonably possible, of any relevant requests for the ~~processing~~ disclosure of Personal Data ~~(collectively~~which may be made to it and which it considers that it is legally obliged to respond to, ~~"Correspondence")~~subject to Data Controller reimbursing it for the cost of the same; 12.5.4 it will report to the Data Controller any actual data breach concerning Personal Data that relates to this Contract which comes to its attention and shall assist the Data Controller to inform the relevant regulator and affected Data Subjects, subject to Data Controller reimbursing it for the cost of the same; 12.5.5 it will, on request, take reasonable steps to demonstrate to the Data Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation, subject to Data Controller reimbursing it for the cost of the same; and 12.5.6 it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of hold all Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data~~ in confidence, subject to ~~a territory outside of~~ security measures no less rigorous than those which it uses to safeguard its own confidential information. 12.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; other party against all costs, claims, damages or ~~to a Recipient that has executed standard contractual clauses adopted or approved~~ expenses incurred by the ~~European Commission~~other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations pursuant this clause 12. ~~Recipient will~~ In order to avail itself of this indemnity the claiming party must: promptly notify the indemnifier of any relevant claim of which the indemnified party becomes aware; not make any ~~effort~~ admission of liability or offer to ~~identify individuals who are or may be~~ settle in respect of any relevant claim without the ~~donors~~ prior written permission of the ~~Original Material~~ indemnifier; grant the indemnifier full control of all relevant proceedings on request, and; provide the indemnifier with such assistance in dealing with such claims as it may reasonably request. 12.7 The parties acknowledge that to the extent that a party is a Data Processor pursuant to this Contract it will be reliant on the other, the Data Controller, for direction as to the extent to which the Data Controller will be entitled to use and ~~may~~ Process the relevant Personal Data. Consequently, the Data Processor will not ~~combine~~ be liable to the Data Controller for any loss or damage which arises from any claim brought by a Data Subject or any fine levied by any relevant regulatory authority which results from any action or omission by the Data Processor, to the extent that such action or omission resulted directly from the Data Controller’s instructions. 12.8 The Company confirms that it will treat all Personal Data which is transferred to it under the terms of ~~the Project~~ this Contract in line with ~~other data which may result in identification of a donor~~their Privacy Policy.

Appears in 3 contracts

Sources: Master Service Agreement, Master Service Agreement, Master Service Agreement

Data Protection. 3.2.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ Parties’ attention is drawn to the ~~General~~ Data Protection ~~Regulation~~ Act 1998, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (~~EU)2016/679 and applicable complementing national laws (jointly~~ the “~~Privacy Laws~~Data Protection Requirements”). The ~~parties are independent controllers~~ End-User acknowledges that Royal Mail is the data controller in respect of ~~their processing operations performed with such Personal~~ any personal data in the Data. ~~Taking into account~~ Royal Mail and the ~~state~~ Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the ~~art~~Data Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under the Data Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that it shall: 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; 3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the personal data within the Data from data subjects, the ~~costs of implementation and~~ Information Commissioner or any other law enforcement authority, for Royal Mail to resolve; 3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, in relation to the ~~nature~~personal data within the Data, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for~~ with the rights ~~and freedoms~~ of data subjects, ~~Recipient will maintain appropriate technical and organizational measures in such a manner~~ including subject access rights, or with information notices served by the Information Commissioner; and 3.2.1.4 ensure that ~~processing~~ if, during the term of ~~Personal~~ this Licence Agreement, it intends to make any transfers of personal data within the Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ which are not European Commission Approved Transfers, then it shall, prior to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such ~~Security Incident. In~~ transfer, obtain Royal Mail’s consent and at the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~End-User’s own cost provide such further information and sign such further documents, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ agreements or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith deeds as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Royal Mail may require to ensure the ~~transfer is~~ adequate protection of the personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in ~~compliance with the Privacy Laws. Such measures may include transferring~~ the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Act 1998.

Appears in 3 contracts

Sources: Deal Sheet, Data License Agreement, Data Licence Agreement

Data Protection. 8.1 The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ terms defined in the EU General Data Protection Regulation 2016/679, (~~EU)2016/679 and applicable complementing national laws (jointly~~ the “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security IncidentGDPR”) and the Regulation on the protection of natural persons with regard to ~~take reasonable steps to mitigate~~ the ~~impact~~ processing of ~~any~~ personal data by the Union institutions, bodies, offices and agencies and on the free movement of such ~~Security Incident. In~~ data, Regulation 2018/1725 (the ~~event~~ “EU DPR”) have the same meaning when used in this clause. 8.2 The Parties acknowledge that ~~Recipient receives (i) any request from~~ each of them will act as independent controller and not as a processor on behalf of, or joint controller with, the other Party, when processing personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the Services, including data processing performed in compliance with their obligations at law. The Service Provider shall comply with the GDPR and all other applicable data protection and data privacy laws (the “Data Protection Laws”) in disclosing personal data to EIB or otherwise processing personal data in connection with the Agreement and any Contract. 8.3 Before disclosing any personal data (other than mere contact information relating to the Service Provider’s personnel involved in the management of ~~Personal Data~~ the Agreement and any Contract (~~collectively~~“Contact Data”)) to EIB in connection with the Agreement and any Contract, ~~"Correspondence"~~the Service Provider shall ensure that each data subject of such personal data: (a) has been informed of the disclosure to EIB (including the categories of personal data to be disclosed)~~, it~~ ; and (b) has been advised on the information contained in or has been provided with an appropriate link to EIB’s privacy statement in relation to its procurement and contract management activities as set out from time to time at <▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/en/privacy/procurement.htm> or such other address as the Bank may notify to the Service Provider in writing. 8.4 The Service Provider shall promptly inform EIB in writing, with full details, if it: (a) becomes aware of any personal data breach; or (b) receives any communication from: (i) a data subject seeking to exercise a right under, or alleging breach of, the GDPR or any other applicable data protection or data privacy law; or (ii) a supervisory authority or other competent data protection authority, in relation to personal data disclosed or to be disclosed by EIB to the Service Provider or by the Service Provider to EIB, or otherwise processed by the Service Provider in connection with the Agreement and any Contract. 8.5 The Service Provider shall give EIB such information, co-operation and assistance as EIB reasonably requests to enable it to address the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing legal or other consequences of ~~Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ that personal data breach or of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country subject matter of that ~~the European Commission has decided provides adequate protection~~ communication. 8.6 The Service Provider shall notify EIB without delay of any legally binding request for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors disclosure of the ~~Original Material and may not combine Data or results of the Project with other~~ personal data ~~which may result in identification of~~ transmitted to it by EIB made by any national public authority, including an authority from a ~~donor~~third country.

Appears in 3 contracts

Sources: Framework Agreement, Framework Agreement, Framework Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇▇ons under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 3 contracts

Sources: Administration Agreement (Granite Mortgages 03-3 PLC), Administration Agreement (Granite Mortgages 03-1 PLC), Administration Agreement (Granite Mortgages 03-2 PLC)

Data Protection. ~~The parties acknowledge~~ 15.1 In so far that ~~personal data may be transferred~~ Shared Personal Data is Processed under this ~~agreement~~ Agreement it is understood that the parties will each act in the capacity of an independent Data Controller. 15.2 The Grant Recipient (~~“Personal Data”~~including its employees agents or officers) and each ~~party will fully~~ Delivery Partner shall at all times during the period of this Agreement comply with ~~its respective~~ the provisions and obligations imposed by this clause 15 (Data protection) and the Data Protection Legislation generally, including any requirement to obtain registrations, consents, and provide notifications and relevant privacy information to Data Subjects as required for the purposes of their obligations under ~~the General Data Protection Regulation (EU)2016/679~~ this Agreement. 15.3 The Grant Recipient warrants and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ represents that it and/or any of ~~their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation~~ its employees and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ each Delivery Partner each have in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Shared Personal Data ~~will meet~~ against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the ~~requirements~~ risk represented by the processing and the nature of the ~~Privacy Laws.~~ data to be protected. 15.4 The Grant Recipient ~~agrees to~~ shall notify ~~Provider within a period of 48 hours where Recipient becomes~~ Homes England without undue delay on becoming aware of ~~or reasonably suspects that Personal~~ any breach of the applicable Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Protection Legislation in relation to the Shared Personal Data. 15.5 Whilst each party shall be responsible for responding to any complaint in relation to the Shared Personal Data ~~(including its rights of access~~Processed pursuant to this Agreement, ~~correction~~or any request by individuals to exercise the Data Subject's rights, ~~objection~~ if necessary the parties will co-operate with each other and ~~erasure); and (ii)~~ provide reasonable assistance with any ~~other correspondence~~request, proceedings or inquiry ~~or complaint received from a data subject, regulator~~ by any affected Data Subject and/or the Information Commissioner or other ~~third party~~ body authorised by statute which are concerned with the Data Protection Legislation in connection with the ~~processing of~~ Shared Personal Data Processed under this Agreement. 15.6 The provision of this clause 15 (~~collectively~~Data protection) shall apply during the continuance of the Agreement and indefinitely after its termination. 15.7 The Grant Recipient shall indemnify Homes England against all claims and proceedings and all liability, ~~"Correspondence")~~losses, it costs and expenses incurred in connection therewith by Homes England as a result of the Grant Recipient's destruction of and/or damage to any of the Shared Personal Data processed by the Grant Recipient, its employees, agents, or a Delivery Partner or any breach of or other failure to comply with the obligations in the Data Protection Legislation and/or this clause 15 (Data protection) by the Grant Recipient, its employees, agents or sub-contractors or any Delivery Partners. 15.8 The Grant Recipient shall ~~promptly inform Provider~~ appoint and ~~the parties shall cooperate in good faith as necessary~~ identify an individual within its organisation authorised to respond to enquiries from Homes England concerning the Grant Recipient's and each Delivery Partner's Processing of the Shared Personal Data and will deal with all enquiries from Homes England relating to such ~~Correspondence and fulfill their respective~~ Personal Data promptly, including those from the Information Commissioner. 15.9 The Grant Recipient undertakes to include obligations no less onerous than those set out in this clause 15 (Data protection), in all contractual arrangements with its Delivery Partners, Group Companies, agents or sub-contractors engaged by the Grant Recipient in performing its obligations under ~~Privacy Laws. Upon Provider’s~~ this Agreement to Homes England and to enforce all such obligations on Homes England's request. 15.10 Homes England may, ~~Recipient~~ at any time on not less than thirty (30) Business Days' notice, revise this clause 15 (Data protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall ~~restrict the processing of Personal Data identified~~ apply when incorporated by ~~Provider. Recipient shall not transfer any Personal Data~~ attachment to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Agreement).

Appears in 3 contracts

Sources: Grant Agreement, Grant Agreement, Grant Agreement

Data Protection. ~~The parties~~ Where any Personal Data is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that ~~personal data~~ either Party may be ~~transferred~~ a Data Controller or a Data Processor. The Parties shall: Process the Personal Data only in accordance with instructions from the other to perform its obligations under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Framework Agreement; ensure that at all times it has in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing~~ to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or employee unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data ~~will meet~~ to any third party, obtain the ~~requirements~~ prior written consent of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours~~ other (save where ~~Recipient becomes aware of~~ such disclosure or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”~~transfer is specifically authorised under this Framework Agreement) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability and integrity of any ~~such Security Incident. In~~ employee who has access to the Personal Data and ensure that they: are aware of and comply with the Provider’s duties under the Framework Agreement; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the disclosing Party or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data (as defined in the DPA); notify the disclosing Party immediately if it becomes aware of an event that ~~Recipient receives~~ results, or may result, in unauthorised access to Personal Data held by the other under a Call-Off Contract, and/or actual or potential loss and/or destruction of Personal Data in breach of a Call-Off Contract, including any Personal Data breach or if it receives: from a Data Subject (ior third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to either Parties obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from ~~a data subject~~ any third party for disclosure of Personal Data where compliance with such request is required or purported to ~~exercise any of its rights under Privacy Laws~~ be required by Law; provide the disclosing Party with full cooperation and assistance (within the timescales reasonably required by the Disclosing Party) in relation to any complaint, communication or request made (as referred to at Clause 21.2.5) including by promptly providing: full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested to enable the disclosing Party to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and on request any Personal Data ~~(including its rights of access, correction, objection and erasure)~~it holds in relation to a Data Subject; and if requested by the disclosing Party provide a written description of the measures it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 21.2 and provide copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Parties agree that they shall not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Commencement Date, either Party or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country outside the European Economic Area, the following provisions shall apply: the Data Processor shall propose a variation to the Data Controller which, if it is agreed, shall be dealt with in accordance with the Framework Agreement Variation Procedure; the Data Processor shall set out in its proposal for a variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Provider will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries to ensure the Data Controllers compliance with the DPA; in providing and evaluating the variation, the Parties shall ensure that they have regard to and comply with then-current the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Data Processor shall comply with such other instructions and shall carry out such other actions as the Data Controller may notify in writing, including: incorporating standard and/or model clauses (iiwhich are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any ~~other correspondence, inquiry or complaint received from a data subject, regulator~~ Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in ~~connection~~ any Restricted Countries either enters into: a direct data processing agreement with the Data Controller on such terms as may be required by them; or a data processing of agreement with the Data Processor on terms which are equivalent to those agreed between the Data Controller and the Sub-Contractor relating to the relevant Personal Data ~~(collectively~~transfer, ~~"Correspondence"), it shall promptly inform Provider~~ and in each case which the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures Parties acknowledge may include ~~transferring~~ the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or incorporation of model contract provisions (which are approved by the European ~~Commission~~Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Data Controller deems necessary for protecting Personal Data. ~~Recipient will not make~~ The Parties shall use reasonable endeavours to assist each other in compliance with any ~~effort~~ obligations under the DPA and neither shall perform its obligations under this Framework Agreement in such a way as to ~~identify individuals who are~~ cause the other to breach any of their obligations under the DPA to the extent the Party in question is aware, or ~~may~~ ought reasonably to have been aware, that the same would be a breach of such obligations. The Parties shall designate a data protection officer if required by the ~~donors~~ Data Protection Legislation. Before allowing any Sub-Processor to process any Personal Data related to this Framework Agreement, the Parties shall: (a) notify the other in writing of the ~~Original Material~~ intended Sub-Processor and ~~may not combine Data or results~~ processing; (b) obtain the written consent of the ~~Project~~ Data Controller; (c) enter into a written agreement with ~~other data~~ the Sub-Processor which give effect to the terms set out in this Clause 21. such that they apply to the Sub-Processor; and provide the Data Controller with such information regarding the Sub-Processor as they may ~~result in identification~~ reasonably require. The Data Processor shall remain fully liable for all acts or omissions of ~~a donor~~any Sub-Processor.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. 11.1 The ~~parties acknowledge~~ Supplier/Contractor warrants and represents to the Purchaser that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ it shall comply with ~~its respective~~ the Data Protection Laws. 11.2 Without prejudice to Condition 12.1, the Supplier/Contractor shall: 11.2.1 process Personal Data only as necessary in accordance with obligations under the ~~General Data Protection Regulation~~ Contract and any written instructions given by the Purchaser (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”~~which may be specific or of a general nature)~~. The parties are independent controllers of their processing operations performed~~ , including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data ~~will meet~~ outside the ~~requirements~~ European Economic Area unless required to do so by European Union or Member state law or regulatory body to which the Supplier/Contractor is subject; in which case the Supplier/Contractor must, unless prohibited by that law, inform the Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner as is necessary for the performance of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ Supplier/Contractor's obligations under this Contract or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or~~ as is required by law; 11.2.2 subject to ~~unauthorized internal~~ Condition 12.2.1 only process or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not otherwise transfer any Personal Data in or to ~~a territory~~ any country outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary~~ with the Purchaser prior written consent; 11.2.3 take all reasonable steps to ensure the ~~transfer is in compliance~~ reliability and integrity of any of its personnel who have access to the Personal Data and ensure that such personnel are: aware of and comply with the ~~Privacy Laws. Such measures may include transferring~~ terms of this Condition 12; subject to appropriate confidentiality undertakings; informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to ~~a country that~~ any third party unless directed in writing to do so by the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Purchaser or as otherwise permitted by this Contract; 11.2.4 implement appropriate technical and organisational measures in accordance with ~~Privacy Laws;~~ Article 32 of the GDPR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to ~~a Recipient that has executed standard contractual clauses adopted~~ the harm which might result from any unauthorised or ~~approved~~ unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 11.2.5 provide to the Purchaser reasonable assistance including by ~~the European Commission. Recipient will not make any effort to identify individuals who are or~~ such technical and organisational measures as may be ~~the donors~~ appropriate in complying with Articles 12-23 of the ~~Original Material and may not combine Data or results~~ GDPR; 11.2.6 If the Supplier/Contractor engages a sub-contractor for carrying out Processing activities on behalf of the ~~Project with other~~ Purchaser, the Supplier/Contractor must ensure that the same data ~~which may result~~ protection obligations as set out in ~~identification~~ this Contract are imposed on the sub-contractor by way of a ~~donor~~written and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier/Contractor shall remain fully liable to the Purchaser for the performance of the sub-contractor's performance of the obligations; and 11.2.7 ensure it does not knowingly or negligently do or omit to do anything which places the Purchaser in breach of the Purchaser obligations under the Data Protection Laws.

Appears in 2 contracts

Sources: Purchase Order Terms and Conditions, Purchase Order Terms and Conditions

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WME may process personal data ~~may be transferred~~ in connection with this Agreement and the products and services that it provides under ~~this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ it. For the ~~General~~ purposes of the Applicable Data Protection ~~Regulation (EU)2016/679~~ Laws, WME is a controller in respect of the processing of this personal data and ~~applicable complementing national laws (jointly~~ is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WME be deemed to be a processor on behalf of, or a joint controller with, the Client. WME explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WME refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws”), and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The ~~parties are independent controllers of their processing operations performed~~ Client undertakes, where it transfers personal data to WME, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WME is accurate and up to date, and that it promptly notifies WME if it becomes aware that such ~~Personal Data~~personal data is incorrect. ~~Taking into account~~ Where the ~~state of the art~~Client provides personal data to WME, the ~~costs~~ Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of ~~implementation and~~ those individuals to WME’s Privacy Notice. In addition, the ~~nature, scope, context and purposes~~ Client shall promptly notify those individuals of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of any material changes to the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentNotice when advised by WME. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection with this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: Framework Agreement for the Supply of Goods and the Provision of Services, Framework Agreement

Data Protection. 13.1 It is agreed and acknowledged by the parties that they each act as Controller for Personal Data relevant to this Agreement. 13.2 The ~~parties acknowledge~~ Council is the Data Controller for the Personal Data that ~~personal data may be transferred~~ it holds and shares with the BID Company under this ~~agreement~~ Agreement as described in Appendix D (“the Council’s Personal Data”) ). Where the BID Company Processes the Council’s Personal Data in performance of this Agreement, the BID Company carries out such Processing as a Data Processor. 13.3 The BID Company is the Data Controller for the Personal Data that it holds and ~~each party will fully comply~~ shares with ~~its respective obligations~~ the Council under this Agreement as described in Appendix E (“the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws~~BID Company’s Personal Data”). Where the Council Processes the BID Company’s Personal Data in performance of this Agreement, the Council carries out such Processing as a Data Processor. 13.4 As Controllers in common the Council and the BID Company agree to share and Process the Personal Data on the terms set out in this clause 13 and the appendices to this Agreement and the parties will comply with all the requirements of the Data Protection Legislation throughout the duration of this Agreement. 13.5 The parties ~~are independent controllers~~ agree that the sharing of ~~their processing operations performed with such~~ Personal ~~Data. Taking into account~~ Data is necessary for the ~~state of the art, the costs of implementation and the nature, scope, context and~~ purposes of ~~processing~~ this Agreement as ~~well as~~ defined in Appendices D and E (“the ~~risk of varying likelihood~~ Agreed Purpose”) and ~~severity~~ they shall not Process Shared Personal Data other than for the ~~rights~~ Agreed Purpose. 13.6 Each party will Process all Personal Data as set out in Appendices D and ~~freedoms of data subjects, Recipient~~ E. 13.7 Each party will ~~maintain~~ implement appropriate technical and ~~organizational~~ organisational measures to (a) prevent: (i) unauthorised or unlawful Processing of the Shared Personal Data; and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and (b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected in such a manner that ~~processing of Personal Data~~ all Processing will meet the requirements of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ Data Protection Legislation and ensure the protection of ~~48 hours where Recipient becomes aware~~ the rights of ~~or reasonably suspects~~ Data Subjects. 13.8 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data. 13.9 Each party in sharing Personal Data ~~has been or may have been lost~~with the other, ~~damaged or subject~~ shall ensure that it provides clear and sufficient information to ~~unauthorized internal or external access or~~ the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 13 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.10 Each party in receiving Personal Data from the other, undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 14 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.11 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation. 13.12 Each party is responsible for maintaining a record of individual requests for information from Data Subjects, the decisions made and any ~~other unlawful processing (a “Security Incident”)~~ information that was exchanged. Records must include copies of the request for information, details of the Data accessed and ~~to take reasonable steps to mitigate the impact~~ shared and where relevant, notes of any ~~such Security Incident. In~~ meeting, correspondence or phone calls relating to the ~~event that Recipient receives (i)~~ request. 13.13 Subject to any ~~request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~statutory or stated retention periods, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall ~~cooperate in good faith as~~ not retain or Process Shared Personal Data for longer than is necessary to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ carry out the ~~processing of~~ Agreed Purpose. 13.14 Any Personal Data ~~identified~~ that has been shared with a party shall, at the direction of the other, disclosing, party be returned or destroyed in the following circumstances: (a) on termination of the Agreement; (b) on expiry of the BID Term; (c) once Processing of the Shared Personal Data is no longer necessary for the Agreed Purpose for which it was originally shared; unless required by ~~Provider. Recipient~~ law to continue to store such Personal Data 13.15 If a party appoints a third party Processor to Process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the other party for any breach, non-performance or non-observance of this clause 13 by such other Processor in the same way and to the same extent as if such breach, non-performance or non-observance had been committed by the appointing party. 13.16 A party may not transfer ~~any~~ Shared Personal Data to a ~~territory~~ third party located outside the EEA unless it; (a) complies with the provisions of Articles 26 of the ~~European Economic Area~~ GDPR (~~"EEA"~~in the event the third party is a joint Controller); and (b) ~~unless it has taken such measures as are necessary to ensure~~ ensures that (i) the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient will not make any effort~~ Commission as providing adequate protection pursuant to ~~identify individuals who are or may be the donors~~ Article 45 of the ~~Original Material and may not combine Data or results~~ GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 of the ~~Project~~ GDPR; or (iii) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 13.17 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and Process the Shared Personal Data in accordance with the technical and organisational security measures together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data. 13.18 Each party shall each comply with its obligation to report a Personal Data Breach to the other without undue delay and (where applicable) Data Subjects under Article 33 of the GDPR. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner, including providing details of the nature of such Personal Data Breach, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, together with details of the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. 13.19 In the event of a dispute or claim brought by a Data Subject concerning the Processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will co-operate with a view to settling them amicably in a timely fashion. 13.20 Each party undertakes to indemnify the other and hold the other harmless from any claims, proceedings, actions, damages, costs, fines, expenses and any other liabilities which may ~~result~~ arise out of, or in ~~identification~~ consequence of a ~~donor~~breach or purported breach of the Data Protection Legislation or the performance or non-performance by that party of its obligations under this Agreement in relation to the Data Protection Legislation, including loss of or damage to property, financial loss arising from any breach of the Data Protection Legislation, or any other loss which is caused directly or indirectly by any act or omission of the Party arising from any breach of the Data Protection Legislation. 13.21 The provisions of this clause 13 shall apply during the Term of this Contract and indefinitely after its expiry.

Appears in 2 contracts

Sources: Bid Levy Operating Agreement, Bid Levy Operating Agreement

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection Toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol of these Call-off Terms and Conditions, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: NHS Framework Agreement for the Provision of Services, NHS Framework Agreement for the Provision of Services

Data Protection. 22.1 In relation to any Processing of Disclosed Data undertaken by the Supplier on behalf of the University pursuant to the Contract, the University and the Supplier acknowledge that, for the purposes of Data Protection Law, the University is the Data Controller and the Supplier is the Data Processor of such Disclosed Data. 22.2 The ~~parties acknowledge~~ Parties agree that ~~personal~~ the Supplier may only process Disclosed Data on and in the Supplier or the Supplier’s Sub-Contractors’ data centres in the United Kingdom and the Disclosed Data may not be ~~transferred under this agreement (“Personal Data”)~~ stored, transferred, located or otherwise processed outside of such area. Neither the Supplier nor any of its Sub-Contractors are entitled to transfer any the Disclosed Data outside of the United Kingdom without the University’s prior written consent. 22.3 The Supplier warrants and ~~each party will fully comply~~ undertakes that it is solely responsible for ensuring that the Disclosed Data is processed by it in accordance with the Data Protection Law from the date that it is received from the University. 22.4 The Supplier undertakes to the University that it shall use the Disclosed Data only for purposes necessary for the performance of its ~~respective~~ obligations under the ~~General~~ Contract and only in accordance with the instructions given from time to time by the University. 22.5 The Supplier shall (and shall procure that any of the Supplier's Personnel involved in the provision of the Contract shall) comply with any notification requirements under Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy~~ both Parties shall duly observe all their obligations under Data Protection Laws~~”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party which arise in connection with the ~~processing~~ Contract. Supplier’s Personnel 22.6 The Supplier will ensure that access to the Disclosed Data is limited to: (a) Supplier’s Personnel who need access to the Disclosed Data to meet the Supplier's obligations under the Contract (the “Relevant Employees”); and (b) in the case of ~~Personal~~ any access by any of the Supplier’s Personnel, such part or parts of the Disclosed Data as is strictly necessary for performance of said Supplier’s Personnel duties. 22.7 The Supplier will ensure that its Relevant Employees: (~~collectively, "Correspondence"), it shall promptly inform Provider~~ a) only Process Disclosed Data to the extent permitted by the Contract; (b) are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature; (c) have undertaken training in Data Protection Law; and (d) are aware of the Supplier's obligations under such Data Protection Law and the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request~~Contract. 22.8 Without affecting the generality of clause 22.7, ~~Recipient shall restrict~~ the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Supplier will take appropriate steps to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make reliability of any ~~effort to identify individuals who are or may be the donors~~ of the ~~Original Material and may not combine Data or results of~~ Supplier's Personnel who have access to the ~~Project with other data which may result in identification of a donor~~Disclosed Data.

Appears in 2 contracts

Sources: Purchase Agreement, Standard Terms and Conditions

Data Protection. ~~The~~ 8.1 Both parties ~~acknowledge that personal data may be transferred~~ will comply with all applicable requirements of the Data Protection Legislation. This clause Error! Reference source not found. is in addition to, and does not relieve, remove or replace, a party’s obligations under ~~this agreement (“Personal Data”) and~~ the Data Protection Legislation. 8.2 Without prejudice to the generality of clause 8.1, each party will ~~fully comply~~ ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its ~~respective~~ obligations under this agreement: 8.3.1 process Personal Data in respect of which the ~~General~~ other party (“Controller Party”) is Data ~~Protection Regulation~~ Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (~~EU)2016/679 and applicable complementing national laws (jointly~~ “~~Privacy~~ Applicable Laws”). ~~The parties are independent controllers~~ Where the Processor Party is relying on laws of ~~their~~ a member of the European Union or European Union law as the basis for processing ~~operations performed with such~~ Personal Data~~. Taking into account the state of the art~~, the ~~costs~~ Processor Party shall promptly notify the Controller Party of ~~implementation and~~ this before performing the ~~nature, scope, context and purposes of~~ processing ~~as well as~~ required by the ~~risk of varying likelihood and severity for~~ Applicable Laws unless those Applicable Laws prohibit the ~~rights and freedoms of data subjects, Recipient will maintain~~ Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring confidentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data ~~(including its rights~~ can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of ~~access, correction, objection~~ the technical and ~~erasure~~organisational measures adopted by it)~~; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ confidential; and 8.3.4 not transfer any Personal Data ~~to a territory~~ outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: (~~"EEA"~~a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it ~~has taken such measures as are necessary~~ is a Legal Requirement to ~~ensure~~ store the ~~transfer is in~~ Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause Error! Reference source not found.. 8.4 For processing of Personal Data in connection with this Agreement: the ~~Privacy Laws~~duration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant contact details, employees of the Company and any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. ~~Such measures may include transferring~~ The Consultant confirms that they will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.] 8.6 The Consultant will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant or a Substitute of the Data ~~to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Appears in 2 contracts

Sources: Consultancy Agreement, Consultancy Agreement

Data Protection. ~~The parties~~ With respect to the Parties' rights and obligations under this Agreement, the Parties acknowledge that ~~personal data may be transferred under this agreement (“Personal~~ in relation to any Customer Data”) , the Customer is a controller and ~~each party will fully comply with its~~ the Supplier is a processor. The Parties acknowledge their respective obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”)~~shall give each other such assistance as is reasonable to enable each other to comply with such obligations, however, for the avoidance of doubt the Customer agrees that where Entrust has satisfied a contractual obligation under this Agreement, then such satisfaction of the contractual obligation is deemed to satisfy the same or similar requirement under the Data Protection Legislation. The ~~parties are independent controllers of their~~ Customer warrants, represents and undertakes to Entrust that it has lawful grounds for processing ~~operations performed with such Personal~~ the Customer Data. ~~Taking into account~~ The Parties confirm that the ~~state~~ following information will be provided after the GDPR application date: subject matter and duration of the ~~art,~~ processing; the ~~costs~~ nature and purpose of ~~implementation and~~ the ~~nature, scope, context and purposes~~ processing; the type of ~~processing as well as~~ personal data; the ~~risk of varying likelihood and severity for the rights and freedoms~~ categories of data subjects; the obligations and rights of the Customer. Where Entrust processes the Customer Data under or in connection with this Agreement, ~~Recipient will maintain~~ Entrust shall: a) save as required otherwise by law, only process such the Customer Data as is necessary to perform its obligations under this Agreement, and only in accordance with the Customer’s documentedinstructions. b) put in place appropriate technical and ~~organizational~~ organisational measures to meet its own obligations under the Data Protection Legislation and which the Customer agrees are appropriate measures; c) ensure Entrust staff who will have access to the Customer Data are subject to appropriate confidentiality obligations; d) be entitled to engage Sub-Processors to process the Customer Data subject to Entrust ensuring that equivalent requirements to those set out in ~~such a manner that processing of Personal Data will meet~~ this clause are imposed on any sub-processor(s), Entrust remaining fully liable to the ~~requirements~~ Customer for the performance of the ~~Privacy Laws. Recipient agrees~~ sub-processor’s obligations and where applicable, providing to ~~notify Provider within a period~~ the Customer reasonable prior notice of ~~48 hours where Recipient becomes aware of~~ any addition, removal or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact replacement of any such ~~Security Incident. In~~ Sub-Processors; e) not process or transfer the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Customer Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary to ensure~~ without the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors prior documented consent of the ~~Original Material~~ Customer; f) have in place the appropriate technical and ~~may not combine~~ organisational security measures to protect the Customer Data against accidental or ~~results of the Project with other data which may result in identification of a donor.~~unlawful destruction, loss, alteration, unauthorised disclosure or access;

Appears in 2 contracts

Sources: Service Agreement, Service Agreement

Data Protection. (a) The ~~parties~~ Operator and the Authority acknowledge and agree that the Authority is a data controller in respect of all personal data processed by the Operator on behalf of the Authority in the performance of the Services, including all Network Data which constitutes personal data, all personal data relating to users of the Ticketing System, passengers on the Network and any individuals whose personal data may be ~~transferred~~ recorded by any CCTV system operated by the Operator under or in connection with this ~~agreement~~ Agreement. (~~“Personal Data”~~b) ~~and each party will fully comply with its respective obligations under~~ To the ~~General~~ extent that the provision of the Services by the Operator involves the processing of personal data (as defined in the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Acts) by the ~~state~~ Operator on behalf of the ~~art~~Authority, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient Operator agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives that: (i) it shall process such personal data in accordance with the instructions of the Authority and the terms of this Agreement; (ii) it shall implement and maintain such security measures as are required to comply with the data security obligations of the Data Protection Acts; (iii) the Authority (or its authorised representative(s)), acting reasonably, shall be entitled, at reasonable times and on reasonable notice, to audit the security measures adopted by the Operator to ensure that such measures comply with the data security obligations of the Data Protection Acts; (iv) it shall report any ~~request from~~ incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of such personal data to the Authority immediately upon becoming aware of such an incident and shall provide the Authority with such co-operation and assistance as may be reasonably required to mitigate against the effect of the security incident; (v) it shall inform the Authority promptly in the event of receiving a data subject ~~to exercise any of its rights under Privacy Laws~~ access request in relation to ~~Personal Data (including its rights of access, correction, objection~~ any such personal data and ~~erasure);~~ shall provide all such co-operation and ~~(ii)~~ assistance as may be required to enable the Authority to deal with any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ subject access request in ~~connection~~ accordance with the ~~processing of Personal~~ Data Protection Acts; (~~collectively, "Correspondence"),~~ vi) it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any ~~Personal Data to a territory~~ such personal data outside of the European Economic ~~Area~~ Area: (~~"EEA"~~A) ~~unless it has taken~~ without the prior written consent of the Authority; and (B) without ensuring that such ~~measures as are necessary to ensure the~~ transfer ~~is in compliance~~ complies with the ~~Privacy Laws. Such measures may include transferring~~ Data Protection Acts; and (vii) it shall at all times comply with the relevant provisions of the Data Protection Acts including any obligation to register as a ~~country that~~ data processor (as defined in the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance~~ Data Protection Acts) with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine~~ Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Commissioner.

Appears in 2 contracts

Sources: Public Service Contract, Public Service Contract

Data Protection. ~~The parties acknowledge~~ 19.1 In performing its obligations under this Agreement, the Parties shall: 19.1.1 comply with the provisions of the Data Protection Legislation insofar as it is applicable to this Agreement; 19.1.2 not process Personal Information for any purpose other than that ~~personal data~~ which may be ~~transferred~~ required to perform its obligations under this ~~agreement (“Personal Data”)~~ Agreement and ~~each party~~ ensure that such processing will ~~fully comply with its respective obligations under~~ not place the ~~General~~ University in breach of any Data Protection ~~Regulation~~ Legislation; 19.1.3 only act on the express instructions of the University in collecting, processing and utilising any Personal Information (~~EU)2016/679~~ and ~~applicable complementing national laws (jointly “Privacy Laws”~~for avoidance of doubt, this Agreement shall constitute such instructions)~~. The parties are independent controllers of their processing operations performed with~~ ; 19.1.4 not disclose or otherwise make available any Personal Information to any third party other than authorised Personnel or sub-contractors who require access to such Personal ~~Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ Information strictly in order for the ~~rights~~ Service Provider to carry out its obligations pursuant to this Agreement, and ~~freedoms of data subjects, Recipient will maintain appropriate technical~~ ensure that such Personnel and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other ~~unlawful processing (a “Security Incident”)~~ persons that have access to the Personal Information are bound by appropriate and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ legally binding confidentiality and non-use obligations in relation to the Personal ~~Data~~ Information. 19.2 The Service Provider shall be responsible for establishing and maintaining an information security system that is designed to: 19.2.1 ensure the security and confidentiality of the all Personal Information and any University information (including ~~its rights~~ any back-ups, where applicable) by the use of ~~access~~encryption for such information at transit and rest; 19.2.2 protect against any anticipated threats or hazards; 19.2.3 protect against unauthorised access to, ~~correction, objection and erasure); and (ii)~~ disclosure or use of any ~~other correspondence, inquiry or complaint received~~ University information; 19.2.4 ensure the proper separation of information belonging to the University from ~~a data subject, regulator or other~~ any third party information; 19.2.5 where appropriate, ensure the proper disposal of information belonging to the University; 19.2.6 preserve the integrity of any information belonging to the University and prevent the corruption, destruction or loss of such information at all times; and 19.2.7 ensure that all sub-contractors of the Service Provider, if any, comply with the provisions of this clause 19. 19.3 The Service Provider will report to the University orally and confirmed in writing any actual and/or suspected breaches such as security incidents, unauthorised access or disclosure of Confidential and/or Personal Information immediately upon discovery of the unauthorised disclosure but in no event more than 2 (two) days after the Service Provider reasonably believes there has been such unauthorised use or disclosure. 19.4 Where the Service Provider (including the Service Provider’s Personnel) is given access (whether direct or remote) to any University Information Technology Systems under or in connection with the ~~processing~~ Agreement, the Service Provider shall (and shall ensure that the Service Provider’s Personnel): 19.4.1 comply with the Rules, requirements or other instructions of ~~Personal Data (collectively~~the University or, ~~"Correspondence")~~where applicable, ~~it shall promptly inform Provider and~~ the ~~parties shall cooperate~~ University’s third party suppliers, regarding use of such University Information Technology Systems; 19.4.2 only use the University Information Technology Systems in ~~good faith as necessary~~ connection with the proper delivery of the Deliverables; 19.4.3 not permit any other individual or entity to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider~~access the University Information Technology Systems; 19.4.4 upon the University’s request, ~~Recipient shall restrict~~ immediately cease access to and use of any University Information Technology Systems and return all University Information Technology Systems (and associated documentation) to the ~~processing of Personal Data identified by Provider. Recipient shall~~ University; and 19.4.5 not ~~transfer~~ reverse engineer, deconstruct, decompile, deactivate or disable any ~~Personal Data~~ University Information Technology Systems or introduce any viruses or other similar code, or take any other action that would cause any damage or harm to ~~a territory outside~~ any Information Technology Systems of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorUniversity.

Appears in 2 contracts

Sources: Service Provider Agreement, Service Provider Agreement

Data Protection. 3.1 The ~~parties acknowledge~~ parties’ attention is drawn to the Data Protection ▇▇▇ ▇▇▇▇, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (the “Data Protection Requirements”). 3.1.1 To the extent that there is any personal data ~~may~~ included in the Data, the Prospective Sub-licensee acknowledges that the Sub-licensor is the data controller in respect of any such personal data and that the Prospective Sub-licensee shall be ~~transferred~~ the data controller of copies of any such personal data that it receives for the purposes of further processing in accordance with the terms of this Agreement. 3.1.2 The Prospective Sub-licensee agrees it will not do or omit to do any act in respect of any such personal data which would place it, Royal Mail, or the Sub-licensor in breach of the Data Protection Requirements and each party warrants to the other that it will duly observe all its obligations under the Data Protection Requirements which arise in connection with any such personal data. In particular and without limitation to the foregoing, each party agrees that, as data controller of any such personal data, it shall promptly notify the other party of any queries from data subjects, the Information Commissioner or any other law enforcement authority in respect of the processing and/or disclosure of any such personal data by the other under this ~~agreement~~ Agreement (“~~Personal Data~~Query”) and each party ~~will fully comply with its respective obligations under~~ shall promptly provide the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed other with such ~~Personal Data. Taking into account the state of the art~~information, ~~the costs of implementation~~ co-operation and ~~the nature, scope, context and purposes of processing as well~~ assistance as the ~~risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures~~ other may require in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary order to respond to any Query, provided always that such ~~Correspondence~~ notification and/or provision of co-operation and ~~fulfill their respective~~ assistance is reasonable, proportionate and lawful. For the purposes of this Clause 3, “data protection principles”, “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in the Data Protection ▇▇▇ ▇▇▇▇. For the avoidance of doubt, the parties agree that there is no intention to impose obligations under ~~Privacy Laws. Upon Provider’s request~~this Clause 3 on either party in respect of data and/or rights that are not, ~~Recipient shall restrict the processing~~ as a matter of ~~Personal Data identified by Provider. Recipient shall not transfer any Personal Data~~ law, subject to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Requirements.

Appears in 2 contracts

Sources: Digital Mapping and Location Display Licence Agreement, Digital Mapping and Location Display Licence Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 12.1 For the purposes of this ~~agreement (~~Clause 12, “Personal Data” and “Processing” (and “Process” shall be construed accordingly) shall have the meanings given to them in the Personal Data Protection ▇▇▇ ▇▇▇▇, as may be updated, superseded or replaced from time to time (the “Act”). 12.2 You acknowledge that We may obtain certain information (including, without limitation, Personal Data), about You (“Your Personal Data”). 12.3 Notwithstanding anything to the contrary, You specifically authorise that We may collect, use, disclose and/or Process Your Personal Data (whether provided electronically or otherwise) to administer these Terms, provide Services to You, including without limitation, monitoring and ~~each~~ analysing the conduct of Your account and enabling Us to carry out statistical and other analysis, and otherwise market Services and products to You in accordance with these Terms. 12.4 You acknowledge and agree that in doing so, We may: 12.4.1 transfer or disclose Your Personal Data to any Associated Office or third party ~~will fully comply~~ wherever located in the world, including (without limitation) those who provide services to Us or act as Our agents, those to whom We transfer or propose to transfer any of Our rights or duties under these Terms and those licences, credit reference agencies or other organisations that help Us make credit decisions and reduce the incidence of fraud or in the course of carrying out identity fraud prevention or credit control checks; and 12.4.2 transfer information We hold about You to countries located outside of Singapore, where data protection safeguards may not be as high, for any of the purposes described in this Clause 12 and in such instances We shall ensure that adequate safeguards are put into place to protect Your Personal Data. 12.5 To the extent that We Process Your Personal Data, We shall: 12.5.1 Process it only for the purposes of complying with ~~its respective~~ Our obligations under these Terms, in accordance with Your reasonable instructions from time to time; and 12.5.2 ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful Processing of Personal Data and the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with accidental loss or destruction of, or damage to, such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer . 12.6 If any Personal Data belonging to ~~a territory outside~~ any of Your directors, employees, officers, agents or clients is provided to Us, you represent to Us that each person is aware of and consents to the ~~European Economic Area ("EEA") unless it has taken~~ use of such ~~measures~~ data as ~~are necessary~~ set out in this Clause 12 and You agree to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; indemnify us against any loss, costs or ~~to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make~~ expenses arising out of any ~~effort to identify individuals who are or may be the donors~~ breach of ~~the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~this representation.

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. ~~The parties acknowledge that~~ 9.1 For the purposes of this Clause 9, "controller", "processor", "data subject", "personal data", "personal data ~~may be transferred under this agreement (“Personal Data”)~~ breach" and ~~each party will fully comply with its respective obligations under~~ "processing" shall have the ~~General~~ meanings set out in the Data Protection ~~Regulation (EU)2016/679~~ Legislation and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation "process" and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws "processed" when used in relation to ~~Personal~~ the processing of the personal data, will be construed accordingly. 9.2 To the extent applicable, the Parties shall comply with the Data Protection Legislation. 9.3 The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate that each Party shall act as a controller in common in processing personal data for the purposes of each Party's responsibilities and in accordance with these Terms of Business. 9.4 Without prejudice to the generality of clause 9.2, the Intermediary confirms that it complies with the GDPR. 9.5 Without prejudice to the generality of clause 9.2, where either Party (~~including its rights of access, correction, objection and erasure); and~~ the "Disclosing Party") discloses personal data to the other (iithe "Recipient") ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the operation of these Terms of Business or Insurance Business, the Disclosing Party will ensure that all necessary fair processing notices have been given (and all necessary consents obtained) which are sufficient in scope and kept up-to-date to meet the Transparency Requirements so that the personal data it provides to the Recipient can be lawfully used or disclosed by the Recipient in the manner and for the purposes anticipated by these Terms of ~~Personal Data~~ Business. 9.6 Where the Intermediary collects personal data which it subsequently transfers to the Insurer (~~collectively,~~ the "~~Correspondence~~Intermediary Data"), it shall ensure that such Intermediary Data is: 9.6.1 not subject to any prohibition or restriction which would: (a) prevent or restrict it from disclosing or transferring the Intermediary Data to the (b) prevent or restrict the Insurer from processing the Intermediary Data for the purposes anticipated by these Terms of Business; 9.6.2 adequate, relevant and limited to what is necessary for the purposes anticipated by these 9.6.3 accurate and, where necessary, up to date; having taking every reasonable step to ensure that any inaccurate personal data has been rectified. 9.7 The Intermediary shall notify the Insurer promptly ~~inform Provider~~ (and in any event within two (2) Business Days of having notified a Regulator) in relation to any Intermediary Data or any personal data processed under or in connection with these Terms of Business, including full details of the personal data breach and the ~~parties shall cooperate~~ steps taken (or proposed to be taken) in ~~good faith as necessary to respond~~ relation to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it providesunder it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMILrefers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of ~~the Privacy Laws. Recipient agrees~~ Applicable Data Protection Laws with respect to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection ~~with~~ with, this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ For the purpose of this ~~agreement~~ article 42, "Personal Data" and "Data Controller" shall have the meanings ascribed to them in the UK Data Protection Act 1998 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsDPA”). ~~The parties are independent controllers of their processing operations performed~~ Seller shall ensure that it complies with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all requirements of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ DPA as if Seller were the Data Controller in respect of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ all Personal Data ~~has been~~ provided to Seller by ▇▇▇▇▇, any employee of Buyer, Buyer’s customers, ▇▇▇▇▇’s subcontractors and/or any agent of Buyer pursuant to or ~~may have been lost, damaged or subject~~ relating to ~~unauthorized internal or external access or~~ this Contract. Seller shall not process any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data ~~(including its rights~~ controlled by ▇▇▇▇▇ except in the performance of ~~access~~and for the purpose of this Contract. Furthermore, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient Seller shall not transfer any Personal Data controlled by Buyer to ~~a territory~~ any other entity or outside of the ~~European Economic Area ("EEA") unless it has taken such~~ EEA without the express written consent of Buyer and without the provisions of the DPA and all applicable data protection law having been satisfied. Seller will have in place adequate technical and organizational security measures ~~as are necessary to ensure~~ so that the ~~transfer is in compliance~~ confidentiality of this processing complies with the ~~Privacy Laws~~DPA and all applicable data protection laws and regulations. ~~Such measures may include transferring the Data~~ Seller shall immediately provide Buyer with copies of any and all requests by data subjects or regulatory authorities in relation to ~~a country that the European Commission has decided provides adequate protection for~~ personal data processed pursuant to this Contract, and notice of any and all data breaches or other unlawful processing of personal data; , and shall promptly provide Buyer with any and all assistance that may be required to ~~a Recipient that has achieved binding corporate rules authorization in accordance~~ respond to such requests or breaches. Where such requests relate to ▇▇▇▇▇▇’s failure to comply with ~~Privacy Laws;~~ the DPA or other applicable data protection laws and regulations, then such support and any remediation shall be at Seller’s expense. Where under this Contract personal data needs to ~~a Recipient that has executed standard contractual clauses adopted or approved~~ be exported from the EEA, Seller shall agree to execute such data transfer contracts based upon the model contracts published by the Article 29 Working Party of the European Commission. ~~Recipient will not make~~ Seller shall indemnify, keep indemnified and hold harmless Buyer and ▇▇▇▇▇’s customers from and against all expenses, contingent liabilities, liabilities, injuries, losses, damages, claims, demands, proceedings, judgments and legal costs (on a full indemnity basis) whether arising in tort (including negligence), breach of contract, breach of statutory duty, collaterally or otherwise which Buyer and/or Buyer’s customers incur or suffer arising from breach of this article 42 or any ~~effort~~ model contract entered into by Seller pursuant to ~~identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~it.

Appears in 2 contracts

Sources: Purchase Order, Purchase Contract

Data Protection. ~~The parties acknowledge~~ In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it provides under it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMIL refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of ~~the Privacy Laws. Recipient agrees~~ Applicable Data Protection Laws with respect to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that ~~Recipient receives (i) any request from a~~ either party becomes aware of an actual or suspected personal data ~~subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~breach affecting personal data disclosed under, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection ~~with~~ with. this Agreement, that party shall notify the ~~processing of Personal Data (collectively~~other party without undue delay, ~~"Correspondence"), it shall promptly inform Provider~~ and the parties shall ~~cooperate~~ use all reasonable endeavours to assist one another in ~~good faith as necessary~~ satisfying the requirements of Applicable Data Protection Laws with respect to ~~respond to~~ any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data ~~which may result in identification of a donor~~breach.

Appears in 2 contracts

Sources: Investment Management Agreement (Accelerant Holdings), Investment Management Agreement (Accelerant Holdings)

Data Protection. ~~The parties acknowledge that personal data~~ (a) If and insofar within the scope of this Agreement Personal Data is Processed by Pegasystems on behalf of Customer, Pegasystems shall: (i) Process the Personal Data only in accordance with instructions from the Customer (which may be ~~transferred under~~ specific instructions as are notified by the Customer to Pegasystems during the Term or instructions of a general nature as are set out in this ~~agreement~~ Agreement); (~~“Personal Data”~~ii) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain implement appropriate technical and organizational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the ~~requirements~~ harm and/or reputational damage which might result from any unauthorized or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing~~ and comply with the obligations in this sub-clause; (~~a “Security Incident”~~iii) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure that all Pegasystems staff required to access the ~~impact~~ Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this sub-clause; and (iv) not publish, disclose or divulge any of the Personal Data to any third party except as described below or unless directed in writing to do so by the Customer. (b) Pegasystems will notify Customer in writing if it becomes aware of any breach of Personal Data or any claims in connection with such ~~Security Incident~~breach. ~~In the event~~ Pegasystems shall inform Customer of all actions and measures taken to address such breach and/or claims. (c) Pegasystems will only transfer or provide direct access to Personal Data to Pegasystems’ affiliates and subcontractor that ~~Recipient receives~~ (i) ~~any request from a data subject~~ have agreed in writing to ~~exercise any of its rights under Privacy Laws in relation to~~ process the Personal Data ~~(including its rights~~ consistent with the terms of ~~access, correction, objection and erasure);~~ this Agreement and (ii) ~~any other correspondence, inquiry~~ (A) are located in a jurisdiction subject to Data Protection Legislation or ~~complaint received from a data subject, regulator~~ with privacy laws considered to be adequate by the European Commission or ~~other third party in connection with~~ (B) have entered into the ~~processing~~ EU standard contractual clauses for transfers of Personal Data ~~(collectively~~to non-EU data processors, ~~"Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ set out in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission Decision 2010/87/EC of 5 February 2010, to the extent necessary for Pegasystems to fulfill its obligations to Customer pursuant to this Agreement, unless and until Pegasystems has ~~decided provides adequate protection~~ in place an alternative valid mechanism which is suitable for ~~personal data;~~ this purpose, including but not limited to ~~a Recipient that has achieved~~ binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorfor Processors.

Appears in 2 contracts

Sources: Master Software License, Maintenance & Professional Services Agreement, Master Software License, Maintenance & Professional Services Agreement

Data Protection. ~~The parties acknowledge~~ 15.1 Each party shall be responsible for ensuring that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with~~ it fulfills its respective obligations and responsibilities under the ~~General~~ Data Protection ~~Regulation~~ Legislation and any other applicable laws relating to the protection of personal data and the privacy of individuals (~~EU)2016/679~~ all as amended, updated or re-enacted from time to time), or the relevant legislation covering the use of personal data applicable to each party in the jurisdiction in which it is based. This includes, but is not limited to the following: (a) The parties shall agree the appropriate processes and arrangements under which any necessary data sharing and processing is to be carried out in the provision of the Services and Software under this Agreement. For all purposes related to the applicable ~~complementing national laws~~ Data Protection Legislation, the Customer shall be the Data Controller and Simitive a Data Processor as regards such data sharing and processing. (~~jointly~~ b) Simitive shall not transfer any personal data to any country or territory outside the United Kingdom or European Economic Area or other such geographical location as required by the Customer to comply with Data Protection Legislation in the Customer’s jurisdiction. (c) The Customer shall notify Simitive of the identities of the users and the administrators authorised to be users of the Software provided and hosted by Simitive under this Agreement (the “~~Privacy Laws~~Authorised Users”)~~. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ ; (d) Simitive shall enable the ~~state~~ appropriate, agreed access and use of the ~~art~~Simitive Software by such Authorised Users; (e) The Customer is responsible for ensuring that Authorised Users comply with instructions in respect of the use of the Simitive Software, ~~the costs~~ including those relating to access to, processing and protection of ~~implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ personal data. (f) Simitive shall take appropriate technical and ~~organizational~~ organisational measures with the intention of preventing unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) Any Simitive staff with access to the Software shall be subject to appropriate security checks as a condition of their employment and have received appropriate training in data security. (h) Simitive shall provide such assistance as required to enable the Customer to meet its obligations under the Data Protection Legislation in relation to the security of processing, notification of personal data breeches and data protection impact assessments. 15.2 Simitive shall process personal data provided by the Customer only for the following lawful purposes; (a) to perform its duties and obligations under this Agreement; (b) in connection with the provision, implementation, monitoring, operation, evaluation and support of the Simitive Software; (c) to manage its provision of the Simitive Software and Services; (d) to carry out statistical analysis; (e) for administration, accounting, and archival purposes; 15.3 The parties agree that they will use reasonable endeavours to ensure that they do not, and do not cause the other Party to, breach the Data Protection Legislation (or other equivalent and applicable legislation in any jurisdiction in which a ~~manner that processing~~ party is based) by their acts or omissions. 15.4 Simitive will delete or destroy all personal data supplied by the Customer within 3 months of the date of termination or otherwise end of the term of this agreement. Deleted content may persist in backup copies for up to one year, but will be encrypted and not available to third parties. 15.5 The Purpose of Processing is to allow the Customer to use the Simitive Software. 15.6 The Type of Personal Data will ~~meet~~ include names, email addresses, job titles, employment commencement and end dates. If chosen by the ~~requirements~~ Customer it may also include Gender, Ethnicity or other such characteristics as required by the Customer to enable the statistical reporting. 15.7 Categories of Data Subjects will be employees or former employees of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCustomer.

Appears in 2 contracts

Sources: Services Agreements, Services Agreements

Data Protection. 8.1 Each party will comply with all applicable requirements of the Data Protection Legislation. This Clause is in addition to, and does not relieve, remove or replace, either party’s obligations under the Data Protection Legislation. 8.2 The parties acknowledge that ~~personal data~~ Personal Data of Licensee personnel may be ~~transferred under this agreement (“~~provided to Blue Prism for the provision of Support Services during the Agreement Term, in which case Licensee shall be the Data Controller and Blue Prism shall be the Data Processor. Such Personal ~~Data”)~~ Data may include Licensee personnel names, work email address, job information and ~~each party~~ work telephone number and shall be used by Blue Prism to communicate with Licensee in the providing the Support Services and manage Support Service requests. 8.3 Save as set out in Clause 8.2, Licensee shall not provide any Personal Data to Blue Prism for processing by Blue Prism on Licensee’s behalf. 8.4 Licensee will ~~fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679~~ ensure that it has all necessary appropriate consents and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state notices in place to enable lawful transfer of the ~~art,~~ Personal Data to Blue Prism for the ~~costs of implementation and the nature, scope, context~~ duration and purposes of ~~processing~~ this Agreement in order for Blue Prism to provide Support Services. 8.5 Blue Prism shall in relation to any Personal Data processed in connection with the performance of its obligations under this Agreement: 8.5.1 process that Personal Data only on the written instructions of Licensee as ~~well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ described in Clause 8.2 or otherwise agreed; 8.5.2 ensure that it has in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that~~ to protect against unauthorised or unlawful processing of Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ and against accidental loss or destruction of, or damage to, Personal Data; 8.5.3 ensure that all Blue Prism personnel who have access to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ and/or process Personal Data ~~has been or may have been lost, damaged or subject~~ are obliged to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ keep the ~~impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Personal Data ~~(including its rights of access, correction, objection and erasure)~~confidential; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not and 8.5.4 only transfer any Personal Data ~~to a territory~~ outside of the European Economic Area to its Affiliates and sub- contractors (~~"EEA"~~Licensee’s permission for which is hereby given) if: (a) Blue Prism has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) Blue Prism complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) Blue Prism complies with reasonable instructions notified to it in advance by Licensee with respect to the processing of the Personal Data; 8.5.5 provide reasonable assistance to Licensee in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.5.6 notify Licensee without undue delay on becoming aware of a Personal Data breach; 8.5.7 at the written direction of Licensee, delete or return Personal Data and copies thereof to Licensee on termination or expiry of the Agreement unless required by applicable law to store the Personal Data; and 8.5.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. 8.6 Licensee consents to Blue Prism appointing third-party processors of Personal Data, including Blue Prism Affiliates, in order to provide Support Services to Licensee under this Agreement. Where a third-party processor is not a Blue Prism Affiliate, Blue Prism confirms that it has ~~taken such measures as~~ entered into a written agreement substantially on that third party’s standard terms of business. Further details of Blue Prism’s third-party processors are ~~necessary~~ included in the Blue Prism Privacy Policy. As between Licensee and Blue Prism, Blue Prism shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Clause.

Appears in 2 contracts

Sources: Software License Agreement, License Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”)~~ 16.1 Each party is a Data Controller of Protected Data and ~~each party will fully~~ shall comply with ~~its respective~~ the obligations imposed on Data Controllers under ~~the General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~Legislation. ~~The parties are independent controllers of their processing operations performed~~ Nothing in these Conditions shall prohibit or otherwise restrict a party from complying with such ~~Personal Data. Taking into account~~ obligations. 16.2 The Data Recipient shall notify the ~~state of~~ Data Discloser: 16.2.1 without undue delay and in any event within seven (7) days upon receiving a subject access or other request from a Data Subject concerning Protected Data disclosed to the ~~art~~Data Recipient, or if the ~~costs of implementation~~ Data Recipient receives any other claim, complaint or allegation relating to Protected Data disclosed to the Data Recipient; and 16.2.2 without undue delay and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in ~~such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider~~ any event within ~~a period of 48~~ forty-eight (48) hours ~~where Recipient becomes~~ upon becoming aware of or ~~reasonably suspects that Personal~~ having reasonable cause to suspect any breach of security leading to the destruction, loss or unlawful disclosure of Protected Data ~~has been~~ disclosed to the Data Recipient, and shall provide all details of the data breach as is required under applicable Data Protection Legislation, and in each case the parties shall co-operate with each other in handling such an event and provide reasonable assistance to the other in the discharging of their respective duties under Data Protection Legislation. 16.3 Each party shall (at its own cost) assist the other in complying with its obligations as Data Controller including by providing reasonable assistance, information and cooperation as required by Data Protection Legislation to the other party and, if appropriate, to Data Subjects. 16.4 The Buyer shall indemnify, keep indemnified, hold harmless and keep held harmless Novartis Gene Therapies and its affiliates against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or ~~may have been lost~~not arising from any investigation by, ~~damaged~~ or ~~subject to unauthorized internal~~ imposed by, a regulator) arising out of or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with any breach by the ~~processing~~ Buyer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective its obligations under ~~Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ this clause 16. 16.5 For the ~~processing~~ purposes of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this clause 16:

Appears in 2 contracts

Sources: Supply Agreement, Supply Contract

Data Protection. 11.1. The ~~parties acknowledge~~ LICENSEE acknowledges that in connection with the performance of its obligations under this Agreement PerfectForms may carry out Processing on Personal Data and sensitive personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state relating to employees of the ~~art~~LICENSEE. PerfectForms shall use its best endeavors to carry out such Processing in compliance with any applicable data protection legislation in force from time to time, and shall, without limitation to the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain foregoing 11.1.1. Take appropriate technical and organizational measures ~~in such a manner that~~ against unauthorized or unlawful processing of LICENSEE Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, LICENSEE Personal Data 11.1.2. Only disclose LICENSEE Personal Data or information extracted from such data to third parties with the ~~requirements~~ prior written approval of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentLICENSEE 11.1.3. In the event that ~~Recipient receives (i) any request from a data subject~~ PerfectForms is compelled to ~~exercise any~~ conform to edicts of ~~its rights under Privacy Laws in relation to Personal Data (including its rights of access~~the law, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to subpoenas, to court orders, or legal processes, then, subject to any restrictions, PerfectForms shall promptly notify such ~~Correspondence~~ employee of the LICENSEE of such request and ~~fulfill their respective obligations under Privacy Laws~~respond promptly to any request for information made by the LICENSEE in respect of such subject access 11.2. ~~Upon Provider’s request, Recipient shall restrict~~ The LICENSEE acknowledges that it is solely responsible for the ~~processing~~ creation of all LICENSEE Personal Data ~~identified by Provider~~upon which PerfectForms carries out Processing under this Agreement. ~~Recipient~~ The LICENSEE shall ~~not transfer any~~ make obtain and maintain all necessary notifications authorizations and consents the LICENSEE is required to have for the Processing of LICENSEE Personal Data to ~~a territory outside~~ be carried out by PerfectForms under this Agreement. PerfectForms acknowledges that LICENSEE Personal Data in the possession of PerfectForms shall at all times remain the ~~European Economic Area ("EEA") unless it has taken~~ property of LICENSEE 11.3. The LICENSEE hereby instructs PerfectForms to carry out such ~~measures~~ Processing on LICENSEE Personal Data as ~~are necessary~~ is reasonably required by PerfectForms to ~~ensure~~ perform its obligations under this Agreement. The LICENSEE may vary the ~~transfer is in compliance~~ instruction given by this clause 11.3 with respect to the ~~Privacy Laws. Such measures may include transferring~~ Processing of LICENSEE Personal Data at any time by written notice to PerfectForms provided that PerfectForms shall have no liability of any kind to the ~~Data to a country that~~ LICENSEE for any loss or damage suffered by or claim made by any person against the ~~European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance~~ LICENSEE arising directly or indirectly from PerfectForms complying with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.such notice

Appears in 2 contracts

Sources: Support and Maintenance Agreement, Support and Maintenance Agreement

Data Protection. 15.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 15 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 15.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 15.3 Without prejudice to the generality of clause 15.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data ~~may be transferred~~ to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this ~~agreement~~ agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). ~~The parties are independent controllers~~ Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of ~~their~~ this before performing the processing ~~operations performed with such Personal Data. Taking into account~~ required by the ~~state~~ Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the ~~art, the costs of implementation~~ European Economic Area and the ~~nature, scope, context and purposes of processing as well as~~ United Kingdom unless the ~~risk of varying likelihood and severity for~~ following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and ~~freedoms~~ effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data ~~subjects, Recipient will maintain appropriate technical and organizational measures~~ that is transferred; and (D) FSI complies with reasonable instructions notified to it in ~~such a manner that~~ advance by the Client with respect to the processing of ~~Personal Data will meet~~ the ~~requirements of~~ personal data; (iii) assist the ~~Privacy Laws. Recipient agrees~~ Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise any~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 15 and immediately inform the Client if, in ~~relation~~ the opinion of FSI, an instruction infringes the Data Protection Legislation. 15.4 The Client hereby consents to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ FSI appointing third party ~~in connection with~~ sub-processors (and the ~~processing of Personal Data (collectively, "Correspondence"), it~~ Client shall promptly ~~inform Provider and~~ confirm its consent to the ~~parties shall cooperate~~ appointment of such persons as FSI requires in ~~good faith as necessary to respond to~~ writing) provided that such ~~Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall~~ sub-processors will not ~~transfer any Personal Data to a territory~~ store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer (~~"EEA") unless~~ which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 15.5 Each party shall ensure that it has ~~taken such measures as are necessary to ensure the transfer is~~ in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the ~~European Commission. Recipient will not make any effort~~ other party, to ~~identify individuals who are~~ protect against unauthorised or ~~may be~~ unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the ~~donors~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Original Material~~ data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may ~~not combine Data or results~~ include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the ~~Project with other data which may result in identification of a donor~~technical and organisational measures adopted by it).

Appears in 2 contracts

Sources: Managed Services Agreement, Managed Services Agreement

Data Protection. The ~~parties acknowledge~~ Service Provider shall (and shall procure that ~~personal data may be transferred under this agreement (“Personal Data”~~its entire Staff shall) ~~and each party will fully~~ comply with ~~its respective~~ any notification requirements under the DPA and both Parties will duly observe all of their obligations under the ~~General~~ DPA which arise in connection with this Framework Agreement. Notwithstanding the general obligation in Clause 22.1, where the Service Provider is processing personal data (as defined by the DPA) as a data processor for the Authority (as defined by the DPA) the Service Provider shall ensure that it has in place appropriate technical organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection ~~Regulation (EU)2016/679~~ Principle in Schedule 1 to the DPA; and ~~applicable complementing national laws (jointly “Privacy Laws”)~~provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the DPA; promptly notify the Authority of any breach of the security measures required to be in place pursuant to this Clause 22; and ensure it does not knowingly or negligently do or omit to do anything which places the Authority in breach of the Authority’s obligations under the DPA. The ~~parties are independent controllers~~ provisions of ~~their processing operations performed with such Personal Data~~this Clause 22 shall apply during the Term and indefinitely after its expiry. ~~Taking into account~~ FREEDOM OF INFORMATION The Service Provider acknowledges that the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Authority is subject to the requirements of the ~~Privacy Laws~~FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to enable the Authority to comply with its Information disclosure obligations. ~~Recipient agrees~~ The Service Provider shall and shall procure that its Sub-Contractors shall:- transfer to ~~notify Provider~~ the Authority all Requests for Information that it receives as soon as practicable and in any event within two (2) Working Days of receiving a Request for Information; provide the Authority with a copy of all Information, relevant to a Request for Information, in its possession or power, in the form that the Authority requests within five (5) Working Days (or such other period as the Authority may specify) of ~~48 hours where Recipient becomes aware~~ the Authority's request; and provide all necessary assistance reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access~~ regulation 5 of the Environmental Information Regulations. The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Framework Agreement or any other ~~unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ agreement whether the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) Commercially Sensitive Information and/or any other ~~correspondence, inquiry or complaint received~~ Information is exempt from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization disclosure in accordance with ~~Privacy Laws~~the provisions of the FOIA or the Environmental Information Regulations. In no event shall the Service Provider respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Service Provider acknowledges that (notwithstanding the provisions of this Clause 23) the Authority may, acting in accordance with the Ministry of Justice’s Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information ▇▇▇ ▇▇▇▇ (“the Code”), be obliged under the FOIA, or the Environmental Information Regulations to disclose Information concerning the Service Provider or the Services:- in certain circumstances without consulting the Service Provider; or following consultation with the Service Provider and having taken their views into account, provided always that where Clause 23.5 applies the Authority shall, in accordance with any recommendations of the Code, take reasonable steps, where appropriate, to ~~a Recipient~~ give the Service Provider advanced notice, or failing that, to draw the disclosure to the Service Provider's attention after any such disclosure. The Service Provider shall ensure that ~~has executed standard contractual clauses adopted or approved by~~ all Information is retained for disclosure in accordance with Clause 18 and shall permit the ~~European Commission~~Authority to inspect such records as requested from time to time. ~~Recipient will~~ The Service Provider acknowledges that the Commercially Sensitive Information listed in Schedule 12 is of indicative value only and that the Authority may be obliged to disclose it in accordance with Clause 23.5. PUBLICITY Subject to Clause 25 (Marketing) the Service Provider shall not make any ~~effort~~ press announcements or publicise this Framework Agreement in any way without the Authority’s prior written consent. The Authority shall be entitled to ~~identify individuals who are~~ publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit ▇▇▇ ▇▇▇▇ or otherwise. The Service Provider shall not do anything to cause anything to be done, which may be damage the ~~donors~~ reputation of the ~~Original Material and may not combine Data~~ Authority or ~~results of~~ bring the ~~Project with other data which may result in identification of a donor~~Authority into disrepute.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. 16.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 16.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 16.3 Without prejudice to the generality of clause 16.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data ~~may be transferred~~ to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this ~~agreement~~ agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). ~~The parties are independent controllers~~ Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of ~~their~~ this before performing the processing ~~operations performed with such Personal Data. Taking into account~~ required by the ~~state~~ Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the ~~art, the costs of implementation~~ European Economic Area and the ~~nature, scope, context and purposes of processing as well as~~ United Kingdom unless the ~~risk of varying likelihood and severity for~~ following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and ~~freedoms~~ effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data ~~subjects, Recipient will maintain appropriate technical and organizational measures~~ that is transferred; and (D) FSI complies with reasonable instructions notified to it in ~~such a manner that~~ advance by the Client with respect to the processing of ~~Personal Data will meet~~ the ~~requirements of~~ personal data; (iii) assist the ~~Privacy Laws. Recipient agrees~~ Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise any~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 16 and immediately inform the Client if, in ~~relation~~ the opinion of FSI, an instruction infringes the Data Protection Legislation. 16.4 The Client hereby consents to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ FSI appointing third party ~~in connection with~~ sub-processors (and the ~~processing of Personal Data (collectively, "Correspondence"), it~~ Client shall promptly ~~inform Provider and~~ confirm its consent to the ~~parties shall cooperate~~ appointment of such persons as FSI requires in ~~good faith as necessary to respond to~~ writing) provided that such ~~Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall~~ sub-processors will not ~~transfer any Personal Data to a territory~~ store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer (~~"EEA") unless~~ which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 16.5 Each party shall ensure that it has ~~taken such measures as are necessary to ensure the transfer is~~ in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the ~~European Commission. Recipient will not make any effort~~ other party, to ~~identify individuals who are~~ protect against unauthorised or ~~may be~~ unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the ~~donors~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Original Material~~ data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may ~~not combine Data or results~~ include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the ~~Project with other data which may result in identification of a donor~~technical and organisational measures adopted by it).

Appears in 2 contracts

Sources: Saas Agreement, Saas Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ob▇▇▇▇▇▇▇▇s under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" b▇ ▇▇▇ ▇▇ropean Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Data ▇▇▇▇▇▇▇▇on (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and ▇▇▇ ▇▇▇▇gages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 2 contracts

Sources: Administration Agreement (Granite Mortgages 03-1 PLC), Administration Agreement (Granite Mortgages 03-3 PLC)

Data Protection. ~~The parties acknowledge~~ Each Party shall in relation to the processing of the Shared Personal Data comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within thirty (30) days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect. Each Party shall comply with the Data Protection Legislation in processing the Shared Personal Data and shall do all things reasonably necessary to assist the other in complying with its obligations under Data Protection Legislation in respect of the Shared Personal Data. In particular, each Party shall: ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data ~~may be transferred under this agreement (“~~and against accidental loss or destruction of, or damage to, Shared Personal Data”) ; ensure that it has all necessary notices and ~~each party will fully comply~~ consents in place to enable lawful transfer of the Shared Personal Data to the other Party for such purposes as the Parties have mutually agreed, and consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data wherever possible; provide the other Party with reasonable assistance in complying with any data subject access request or deletion requests and queries or complaints made under Data Protection Legislation; provide the other Party with reasonable assistance in ensuring compliance with its ~~respective~~ obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation with respect to security, breach notifications, impact assessments and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ consultations with supervisory authorities or regulators; notify the other Party without undue delay on becoming aware of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of any Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees~~ Breach in relation to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Shared Personal Data which it has ~~been or may have been lost, damaged or subject~~ received from the other Party and provide assistance to ~~unauthorized internal or external access or any~~ the other ~~unlawful processing (a “Security Incident”) and~~ Party as is necessary upon reasonable request to ~~take reasonable steps to mitigate~~ facilitate the ~~impact~~ handling of any such ~~Security Incident. In~~ Personal Data Breach in an expeditious and compliant manner; maintain complete and accurate records and information to demonstrate compliance with this Agreement; ensure the ~~event that Recipient receives (i) any request from a data subject to exercise~~ reliability of any of its ~~rights~~ Personnel who have access to personal data and ensure that such Personnel have committed themselves to confidentiality or are under ~~Privacy Laws in relation to Personal Data (including its rights~~ an appropriate statutory obligation of ~~access, correction, objection and erasure)~~confidentiality; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Shared Personal Data ~~to a territory outside of the European Economic Area ("EEA") unless~~ which it has ~~taken such measures~~ received from the other Party internationally or to an international organisation except as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization permitted in accordance with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine~~ Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 2 contracts

Sources: Data Sharing Agreement, Data Sharing Agreement

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇ions under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 2 contracts

Sources: Administration Agreement (Granite Mortgages 03-3 PLC), Administration Agreement (Granite Mortgages 03-3 PLC)

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)1. The parties ~~are independent controllers~~ agree to treat the personal data to which they may have access for the purpose indicated in this Educational Cooperation agreement. In accordance with the provisions of ~~their~~ Regulation (EU) 2016/679, contained in Organic Law 3/2018, of 5 December 2018, concerning the Protection of Personal Data and Guarantee of Digital Rights and other development regulations, the processing ~~operations performed~~ of data of a personal nature that derives from this agreement is subject to the provisions of current legal regulations, obliging the parties to comply with ~~such Personal Data~~any obligations that may be required, and not to use personal data for purposes other than those provided for in this agreement nor to disseminate this data or provide it to third parties 2. ~~Taking into account~~ For these purposes, and in accordance with the ~~state~~ provisions of the ~~art~~regulations on data protection, the ~~costs~~ parties will adopt measures that guarantee the adequate security of ~~implementation and~~ personal data in order to avoid unauthorized or illegal treatment, loss, destruction or accidental damage, through the ~~nature, scope, context and purposes~~ application of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ appropriate technical and organizational ~~measures in such a manner that~~ measures. 3. The personal data provided by the Parties referring to the contact persons or signatories shall be processed for the purpose of managing the formalised relationship between them, the legitimate basis for the processing being the execution of ~~Personal Data will meet the requirements of the Privacy Laws~~this contract. ~~Recipient agrees~~ The data provided shall not be passed on to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost~~third parties, ~~damaged or subject~~ unless legally obliged to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident~~do so. ~~In the event that Recipient receives (i) any request from a~~ The data subject to may exercise ~~any of its rights under Privacy Laws in relation to Personal Data (including its~~ his or her rights of access, ~~correction~~rectification, ~~objection~~ erasure, objection, limitation of processing, data portability and, where appropriate, the right not to be subject to automated decisions, by writing to the address of the parties indicated in this agreement. 4. If, as a result of the execution of this agreement, the parties access and ~~erasure); and (ii) any~~ process personal data belonging to the other ~~correspondence~~party, ~~inquiry or complaint received from a data subject, regulator or other third party in connection with~~ they must sign the corresponding contract for the processing of ~~Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ such data. 5. Failure to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer comply with any ~~Personal Data to a territory outside~~ of the ~~European Economic Area ("EEA") unless it has taken~~ above obligations shall be sufficient cause for termination of this agreement, without prejudice to any liabilities of any kind that may be incurred for such ~~measures~~ non-compliance. 6. Each party must hold the other party harmless against all claims, damages, losses, fines, penalties, costs and expenses arising out of legal and/or extrajudicial proceedings due to any breach by that party's personnel of the obligations contained in this clause, not assuming any responsibility as ~~are necessary to ensure~~ a consequence of the ~~transfer is in~~ non-compliance with the ~~Privacy Laws. Such measures~~ regulations in force on data protection in which the other party may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorincur.

Appears in 2 contracts

Sources: Educational Cooperation Agreement, Educational Cooperation Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ Each Party shall comply with its respective obligations under ~~the General~~ Applicable Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy Laws”)~~shall not do or omit to do anything which would cause the other Party to breach Applicable Data Protection Law. ~~The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ To the ~~state of~~ extent that any personal data is processed by the ~~art~~Supplier under this Agreement, the ~~costs of implementation~~ Supplier shall: process the personal data only in accordance with this Agreement and the ~~nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Customer’s lawful instructions; implement appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of Personal Data will meet~~ to protect the ~~requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ personal data against unauthorised or ~~reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other~~ unlawful processing (and against accidental loss, destruction, damage, alteration or disclosure; only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality; remain entitled to appoint third party sub-processors. Where the Supplier appoints a ~~“Security Incident”) and~~ third party sub-processor, it shall, with respect to ~~take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives~~ data protection obligations: (i) ~~any request from a data~~ ensure that the third party is subject ~~to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access~~to, ~~correction~~and contractually bound by, ~~objection and erasure)~~at least the same obligations as Supplier; and (ii) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other~~ remain fully liable the Customer for all acts and omissions of the third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall party; not transfer ~~any Personal Data to a territory~~ or otherwise process the personal data outside of the European Economic Area ("“EEA"”) ~~unless it~~ without obtaining the Customer's prior written consent; where consent is granted under clause 12.2.5, the Supplier may only process, or permit the processing, of the personal data outside the EEA under the following conditions: (i) the territory has ~~taken such measures as are necessary to ensure~~ the ~~transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to~~ benefit of a ~~country that the~~ European Commission ~~has decided~~ finding that it provides adequate protection for ~~personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws~~the privacy rights of individuals; or (ii) the Supplier has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available; or (iii) the transfer otherwise complies with Applicable Data Protection Law; notify the Customer without delay after becoming aware that it has suffered a personal data breach; at the Customer’s cost, permit the Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier’s data processing activities to enable the Customer to verify and/or procure that the Supplier is complying with its obligations under this clause 12 assist the Customer in responding to requests from data subjects who are exercising their rights under Applicable Data Protection Law; assist the Customer in complying with its obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of Applicable Data Protection Law), comprising (if applicable): (i) notifying a ~~Recipient~~ supervisory authority that the Customer has ~~executed standard contractual clauses adopted or approved~~ suffered a personal data breach; (ii) communicating a personal data breach to an affected individual; (iii) carrying out an impact assessment; and (iv) where required under an impact assessment, engaging in prior consultation with a supervisory authority; and unless applicable law requires otherwise, upon termination of this Agreement delete all personal data provided by the ~~European Commission~~Customer to the Supplier. ~~Recipient will not make any effort to identify individuals who are or may be~~ Each Party acknowledges that the ~~donors~~ factual description of the ~~Original Material and may not combine Data or results~~ subject-matter, duration of the ~~Project with other~~ processing, the nature and purpose of the processing, the type of personal data ~~which may result~~ and the categories of data subjects shall be as set out in ~~identification of~~ this Agreement. To the extent that the foregoing is not set out in this Agreement, the Parties shall keep a ~~donor~~separate record the relevant particulars.

Appears in 2 contracts

Sources: Service Agreement, Service Agreement

Data Protection. 32.1 The ~~parties acknowledge~~ Grant Recipient warrants and represents that ~~personal data may be transferred~~ it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this ~~agreement~~ Agreement. 32.2 The Grant Recipient undertakes that to the extent that the Grant Recipient and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Agency (“the Agency’s Personal Data”) ~~and each party~~ for the purpose of performing its obligations under this Agreement it will ~~fully~~ at all times comply with ~~its respective obligations under~~ the ~~General~~ provisions of the DPA for the time being in force, including without limitation the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Principles set out in Schedule 1 of the ~~art~~DPA. In particular, the ~~costs of implementation~~ Grant Recipient agrees to comply with the requirements and obligations imposed on the ~~nature, scope, context~~ Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 32.2.1 the Grant Recipient shall at all material times have in place and ~~purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Agency’s Personal Data and any person it authorises to have access to any the Agency’s Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the Agency’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Agency, when performing its obligations under this Agreement on the Agency’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 32.2.2 the Grant Recipient shall only process Personal Data for and on behalf of the Agency for the purpose of performing its obligations under this Agreement in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written instructions from the Agency to ensure compliance with the DPA; 32.2.3 the Grant Recipient shall allow the Agency to audit the Grant Recipient's compliance with the requirements of this Condition 32 on reasonable notice and/or, at the ~~Privacy Laws.~~ Agency’s request, provide the Agency with evidence of the Grant Recipient's compliance with the obligations within this Condition 32. 32.3 The Grant Recipient ~~agrees~~ undertakes not to ~~notify Provider within a period~~ disclose or transfer any of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ the Agency’s Personal Data ~~has been~~ to any third party without the prior written consent of the Agency save that without prejudice to Condition 32.2 the Grant Recipient shall be entitled to disclose the Agency’s Personal Data to employees to whom such disclosure is reasonably necessary in order for the Grant Recipient to performing its obligations under this Agreement, or ~~may have been lost, damaged or subject~~ to ~~unauthorized internal or external access or any other unlawful processing (~~the extent required under a ~~“Security Incident”) and to~~ court order. 32.4 The Grant Recipient shall: 32.4.1 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ Grant Recipient Party who has access to the ~~event~~ Personal Data; 32.4.2 ensure that any Grant Recipient ~~receives (i)~~ Party required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 32; 32.4.3 ensure that none of any ~~request from a data subject to exercise~~ Grant Recipient Party publish, disclose or divulge any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to ~~a territory outside of the European Economic Area ("EEA")~~ any third party unless ~~it has taken such measures as are necessary~~ directed in writing to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Agency;

Appears in 2 contracts

Sources: Framework Delivery Agreement, Framework Delivery Agreement

Data Protection. 9.1 Acolyte shall, in providing access to the Application and in preparing Intelligence Reports and Insight Reports, comply with Data Protection Legislation and with its Data Protection & Privacy Policy relating to the privacy and security of the personal data processed under this Agreement, which is available on the Acolyte website. Acolyte reserves the right to amend its policies as required. 9.2 Each party shall ensure compliance with all applicable Data Protection Legislation when processing personal data. 9.3 The parties acknowledge that each of them is a controller of the Candidate Data processed in connection with this Agreement. The Parties agree to regulate the processing of Candidate Data as set out in Schedule 2. 9.4 The parties acknowledge that any preceding or subsequent data processing activities involving Candidate Data will fall outside the scope of this Agreement. 9.5 Acolyte may record telephone and video calls for training and monitoring purposes, and all recordings shall be held in accordance with Data Protection Legislation. 9.6 The Client acknowledges that the personal data shall be stored within the EU or the UK but may be ~~transferred~~ accessed or processed in accordance with applicable legislation outside the EU or the country where ▇▇▇▇▇▇▇’s delivery team, the Client and the Authorised Users are located in order to provide access to the Application, and perform Acolyte’s obligations under this ~~agreement (“Personal Data”)~~ Agreement. Any transfer of personal data outside the EU or the UK will be subject to a Data Transfer Impact Assessment to confirm that the recipient ensures adequate protection for personal data and that the data subject has enforceable rights and effective legal remedies; 9.7 Where relevant, the parties shall ensure that each of them is entitled to transfer the relevant personal data to the other party ~~will fully comply~~ so that it may be lawfully used, processed and transferred in accordance with this Agreement; 9.8 The parties shall ensure that the relevant third parties have been informed of, and, where applicable, have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 9.9 Each party shall take appropriate administrative, physical, technical and organisational measures against unauthorised or unlawful processing of the personal data and Candidate Data or its ~~respective obligations under~~ accidental loss, destruction or damage; and 9.10 The Client represents that the ~~General~~ Client has established appropriate confidentiality, privacy and security policies and safeguards consistent with Data Protection ~~Regulation (EU)2016/679~~ Legislation, and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ industry standards and that the ~~state of the art, the costs of implementation~~ Client will educate Authorised Users on these policies and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ safeguards. 9.11 Acolyte shall follow its archiving procedures for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentpersonal data. In the event ~~that Recipient receives (i)~~ of any ~~request~~ loss or damage to Candidate Data, the Client’s sole and exclusive remedy shall be for Acolyte to use reasonable commercial endeavours to restore the lost or damaged Candidate Data from ~~a data subject to exercise any~~ the latest back- up of ~~its rights under Privacy Laws in relation to Personal~~ such Candidate Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified maintained by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Acolyte in accordance with ~~Privacy Laws;~~ the archiving procedure. Acolyte shall not be responsible for any loss, destruction, alteration or disclosure of Candidate Data caused by any third party (except those third parties subcontracted by Acolyte to ~~a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort~~ perform services related to ~~identify individuals who are or may be the donors of the Original Material~~ Candidate Data maintenance and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~back-up).

Appears in 2 contracts

Sources: Terms of Business, Terms of Business

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection Toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 2 contracts

Sources: Framework Agreement, Framework Agreement

Data Protection. To the extent that the provision of any Service requires the Processing of Personal Data: (a) Each Provider shall comply with, and shall cause its controlled Affiliates and its and their respective employees, agents and subcontractors to comply with, all applicable Laws relating to the Processing of Personal Data (“Data Protection Laws”) in connection with the performance of the Provider’s and Recipient’s obligations under this Agreement. The ~~parties~~ Parties acknowledge that ~~personal data may be transferred~~ the Recipient is the Controller of all Personal Data Processed by the Provider in connection with the performance of the Provider’s and Recipient’s obligations under this ~~agreement~~ Agreement (“~~Personal~~ Recipient Data”) and ~~each party will fully comply with its respective obligations under~~ agree that the ~~General~~ Provider (and any Sub-Processor) may Process Recipient Data ~~Protection Regulation~~ in the course of providing the Services. (~~EU)2016/679 and applicable complementing national laws~~ b) Each Provider shall promptly notify the Recipient (~~jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ as Controller) if the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such Provider receives a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject ~~to exercise~~ under any Data Protection Law in respect of ~~its rights under Privacy Laws in relation to~~ the Processing of Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the ~~processing~~ performance of the Provider’s or Recipient’s obligations under this Agreement; and ensure that the Provider does not respond to that request except on the instructions of the Recipient or as required by applicable Data Protection Law to which the Provider is subject (in which case, the Provider shall, to the extent permitted by applicable Data Protection Law, inform the Recipient of that legal requirement before the Provider responds to the request). (c) Each Provider shall notify the Recipient (as Controller) without undue delay upon the Provider becoming aware of unauthorized access to, or other security breach, affecting the Recipient’s Personal Data and providing the Recipient with sufficient information to allow the Recipient to meet any obligations to report or inform data subjects of the incident as required under the Data Protection Laws. Each Provider shall cooperate with the Recipient and take such reasonable commercial steps as are directed by the Recipient to assist in the investigation, mitigation and remediation of each such incident. (d) Further obligations of the Provider regarding the Processing of Personal Data in connection with the provision of the Services will be mutually agreed between the Parties in a separate Data Processing and Transfer Agreement (~~collectively, "Correspondence"), it shall promptly inform Provider~~ the “DPA”) between the Parties. To the extent there are any conflicts between this Section 3.3 and the ~~parties~~ DPA, the DPA shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorgovern.

Appears in 2 contracts

Sources: Transition Services Agreement (Bausch Health Companies Inc.), Transition Services Agreement (Bausch & Lomb Corp)

Data Protection. 12.1 You warrant and confirm to Us that You: (a) are registered under applicable Data Protection Laws; (b) will at all times comply with all applicable provisions of Data Protection Laws and any other applicable legislation relating to personal data; and (c) will immediately inform Us in writing and at Your own cost if You have failed to comply with any provision of applicable Data Protection Laws. 12.2 When You submit an Application to Us under this Agreement, this will constitute Processing personal data. The ~~parties acknowledge~~ purpose of this Clause 12 is to set out the roles that You and We perform in respect of that personal data. 12.3 When You submit an Application to Us, including when You populate an Application, You do so as a controller of the personal data which You collect and process and provide to Us, and You are solely responsible for the processing of that personal data and ensuring that such processing is undertaken in accordance with the requirements of Data Protection Laws. 12.4 You and We shall each be separately and independently responsible under Data Protection Laws for any personal data in respect of which we are a controller while the personal data is in our possession or under our control. We shall, where necessary, cooperate with, and provide reasonable assistance to one another in order to enable each of us to comply with our respective obligations under Data Protection Laws, including (but not limited to): (a) making available to the other party in a timely manner any correspondence from any data subjects or any relevant supervisory authority in relation to the processing of personal data by that party (to the extent that this is legally permitted); and/or (b) to the extent appropriate, informing one another of any Data Security Incident which may impact the other party, in so far as such Data Security Incident involves the personal data which is processed in relation to the Terms. 12.5 You shall ensure that, to the extent that any personal data is to be transferred to Us for the purposes of this Agreement, You will: (a) have a lawful purpose for transferring the personal data to Us, and will have complied with all other necessary lawful requirements to enable the lawful transfer of the personal data to Us. We will receive the personal data as a controller; (b) ensure You have all necessary consents and notices in place to enable the personal data to be transferred to Us lawfully for the purposes of this Agreement; (c) give full information to any Applicant whose personal data may be processed under this Agreement of the nature such processing, including making the Applicant aware of the purposes for which We will process personal data and to whom that personal data may be ~~transferred under~~ disclosed and notifying the Applicant that, on the termination of this ~~agreement~~ Agreement, personal data relating to the Applicant may be retained by Us; (~~“Personal Data”~~d) ~~and each party will fully comply with its respective obligations under~~ process any personal data We provide to You only for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of ~~processing as well as the risk~~ this Agreement and not disclose or allow access to such personal data to anyone who is not subject to written contractual obligations concerning such personal data (including obligations of ~~varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ confidentiality) which are no less demanding than those imposed on You by this Agreement; (e) take appropriate technical and ~~organizational~~ organisational measures to guard against unauthorised or unlawful processing or accidental loss, destruction, damage or alteration or disclosure of such personal data. This shall include where appropriate encryption of and password protected access to all such data whether stored on hard copy or in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access electronic form or any other ~~unlawful processing~~ form whatsoever. Such measures shall be in accordance with good industry practice and all guidance from any Regulatory Authority (~~a “Security Incident”~~including the UK Information Commissioner and the FCA) ~~and~~ from time to ~~take reasonable steps~~ time; (f) restrict access to ~~mitigate the impact~~ such personal data to employees who are required to have it; (g) notify Us immediately of any security breaches relevant to the performance of this Agreement that may result in an unauthorised person gaining access to such ~~Security Incident. In~~ personal data or to a device on which such personal data is held; (h) retain such personal data for no longer than necessary for the ~~event that Recipient receives~~ purpose for which the personal data is processed; (i) not transfer any ~~request~~ personal data received from ~~a data subject to exercise any~~ Us outside the EEA unless You: (i) comply with the provisions of ~~its rights under Privacy Laws in relation to Personal Data (including its rights~~ Article 26 of ~~access, correction, objection and erasure)~~the GDPR; ~~and~~ and (ii) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data~~ ensure that: (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA"A) ~~unless it has taken such measures as are necessary to ensure~~ the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient~~ Commission as providing adequate protection pursuant to Article 45 of the GDPR; (B) there are appropriate safeguards in place pursuant to Article 46 of the GDPR; or (C) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 12.6 We shall be entitled to use any information including personal data supplied by You for the purpose of: (a) considering the Application and any subsequent business from You; (b) administrative purposes including contract management; (c) conducting market research and statistical analysis; (d) informing You about new products, services, and about changes in the terms for existing products; (e) fraud and money laundering prevention; (f) preparing strategic or other marketing plans and gauging product sales,; (g) in connection with any prospective sale or assignment of Our business or part thereof; and (h) for any purpose which is lawful and/or with the Applicant's consent under applicable Data Protection Laws. 12.7 You shall assist Us in complying with all applicable requirements of the Data Protection Laws with respect to the Applicants and, in particular, shall: (a) consult with Us about any notices given to the Applicants in relation to their personal data; (b) promptly inform Us about the receipt of any data subject access request; (c) provide Us with reasonable assistance in complying with any data subject access request; (d) not disclose or release any personal data in response to a data subject access request without first consulting Us wherever possible; (e) assist Us, at our cost, in responding to any request from an Applicant and in ensuring compliance with Our obligations under the Data Protection Laws with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators; (f) at Our written direction, delete or return to Us on termination of this Agreement all personal Data and all copies thereof which You are not required by law to retain; (g) use compatible technology for the processing of personal data to ensure that there is no lack of accuracy resulting from personal data transfers; (h) maintain complete and accurate records and information to demonstrate Your compliance with this Clause 12 and allow Us or Our designated auditor to conduct such audits of Your security measures as We require to ensure Your compliance with this Clause 12; (i) You will ~~not make~~ indemnify Us against all claims and proceedings and all liability, loss, costs and expenses We may suffer or incur as a result of any ~~effort~~ claim made or brought by an Applicant or by any other person in respect of any loss, damage or distress caused to ~~identify individuals who are or~~ them as a result of any breach by You of the Data Protection Laws. 12.8 Any breach of this Clause 12 by You may be ~~the donors~~ a material breach of this Agreement which is not capable of being remedied, irrespective of whether any financial loss or reputational damage arises, and irrespective of the ~~Original Material and~~ level of any financial loss or deprivation of benefit arising, as a consequence of such breach. 12.9 Please note that telephone calls may ~~not combine Data~~ be recorded or ~~results of the Project with other data which may result in identification of a donor~~monitored for security or training purposes.

Appears in 2 contracts

Sources: Intermediary Agreement, Intermediary Agreement

Data Protection. B36.1 Each Party shall comply with their respective duties under the Data Protection Legislation and any successor legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. B36.1 The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ in relation to: B36.1.1 Personal Data processed by the Provider in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and B36.1.2 Personal Data, the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management the Authority and the Provider will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations~~ . B36.2 Where the Authority requires information under clause 9.1.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of the ~~Privacy Laws. Recipient agrees to notify~~ Authority, the Provider ~~within a period~~ shall provide such information in pseudonymised form where possible. B36.3 Schedule 1 sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident. In~~ Processing. B36.4 Each Party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. B36.5 Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (~~including its rights~~ 14) days of ~~access~~written notice from the other Party, ~~correction~~gives grounds to the other Party to terminate this Agreement with immediate effect. B36.6 In relation to the Processing of any Personal Data, ~~objection~~ each Party shall: B36.6.1 ensure that it has all necessary notices and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ consents in ~~connection with the processing~~ place to enable lawful sharing of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ to the ~~parties shall cooperate in good faith as necessary~~ Permitted Recipients for the Agreed Purpose; B36.6.2 give full information to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of~~ any Data Subject whose Personal Data ~~identified by Provider. Recipient shall~~ may be processed under this Agreement of the nature of such Processing; B36.6.3 process the Personal Data only for the Agreed Purpose; B36.6.4 not ~~transfer any~~ disclose or allow access to the Personal Data to ~~a territory outside of~~ anyone other than the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Permitted Recipients;

Appears in 2 contracts

Sources: Contract for the Provision of Public Health Services, Contract for the Provision of Public Health Services

Data Protection. 22.1 In relation to any Processing of Disclosed Data undertaken by the Supplier on behalf of the University pursuant to the Contract, the University and the Supplier acknowledge that, for the purposes of Data Protection Law, the University is the Data Controller and the Supplier is the Data Processor of such Disclosed Data. 22.2 The ~~parties acknowledge~~ Parties agree that ~~personal~~ the Supplier may only process Disclosed Data on and in the Supplier or the Supplier’s Sub-Contractors’ data centres in the EEA and the Disclosed Data may not be ~~transferred~~ stored, transferred, located or otherwise processed outside of such area. Neither the Supplier nor any of its Sub- Contractors are entitled to transfer any the Disclosed Data outside of the EEA without the University’s prior written consent (and otherwise procuring the University’s compliance with the Eighth Data Protection Principle of the Data Protection ▇▇▇ ▇▇▇▇ or equivalent restrictions under ~~this agreement (“Personal Data”)~~ Data Protection Law). 22.3 The Supplier warrants and ~~each party will fully comply~~ undertakes that it is solely responsible for ensuring that the Disclosed Data is processed by it in accordance with the Data Protection Law from the date that it is received from the University. 22.4 The Supplier undertakes to the University that it shall use the Disclosed Data only for purposes necessary for the performance of its ~~respective~~ obligations under the ~~General~~ Contract and only in accordance with the instructions given from time to time by the University. 22.5 The Supplier shall (and shall procure that any of the Supplier's Personnel involved in the provision of the Contract shall) comply with any notification requirements under Data Protection ~~Regulation (EU)2016/679~~ Law and ~~applicable complementing national laws (jointly “Privacy~~ both Parties shall duly observe all their obligations under Data Protection Laws~~”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party which arise in connection with the ~~processing~~ Contract. Supplier’s Personnel 22.6 The Supplier will ensure that access to the Disclosed Data is limited to: (a) Supplier’s Personnel who need access to the Disclosed Data to meet the Supplier's obligations under the Contract (the “Relevant Employees”); and (b) in the case of ~~Personal~~ any access by any of the Supplier’s Personnel, such part or parts of the Disclosed Data as is strictly necessary for performance of said Supplier’s Personnel duties. 22.7 The Supplier will ensure that its Relevant Employees: (~~collectively, "Correspondence"), it shall promptly inform Provider~~ a) only Process Disclosed Data to the extent permitted by the Contract; (b) are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature; (c) have undertaken training in Data Protection Law; and (d) are aware of the Supplier's obligations under such Data Protection Law and the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request~~Contract. 22.8 Without affecting the generality of clause 22.7, ~~Recipient shall restrict~~ the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Supplier will take appropriate steps to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make reliability of any ~~effort to identify individuals who are or may be the donors~~ of the ~~Original Material and may not combine Data or results of~~ Supplier's Personnel who have access to the ~~Project with other data which may result in identification of a donor~~Disclosed Data.

Appears in 2 contracts

Sources: Purchase Agreement, Purchase Agreement

Data Protection. ~~The parties acknowledge that~~ For the purposes of the Data Protection Act 1998, the Applicant agrees and gives consent to the holding and processing of personal data relating to the Applicant in any form, (whether obtained or held in writing, electronically or otherwise) by the Producer, affiliated companies of the Producer or the broadcaster for purposes connected with the relationship hereunder including, but not limited to: verifying your age and identity, carrying out background checks with law enforcement and government agencies, taking decisions as to fitness to take part, and ensuring compliance with the Producer’s legal obligations. The Producer wishes to ensure that the information it holds remains as accurate as possible. The Producer may therefore at any time request the Applicant to update the information relating to the Applicant held by the Producer and the Applicant should, in any event, inform the Producer as soon as practicable of any changes to the Applicant’s personal information. The Applicant may review and update the information at any time, on reasonable notice to the Producer. The Producer may, from time to time, need to make some of the Applicant’s information available to legal and regulatory authorities, lawyers and/or other outside professional advisors, and to other parties which provide products or services to the Producer (such as IT systems suppliers and medical practitioners). Some of these recipients will be located in Europe, But others may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artlocated, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have ~~been lost~~relevant operations located, ~~damaged~~ elsewhere such as in the US or ~~subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ elsewhere, where data protection and to privacy regulations may not offer the same level of protection as applies in the EU. However, the Producer will at all times take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ security and confidentiality of personal data. 15. The Company shall not be liable to the Applicant for any ~~such Security Incident. In~~ loss or damage or injury to the ~~event that Recipient receives (i)~~ Applicant or the Applicant’s property or any ~~request from a data subject to exercise any~~ economic loss including without limitation loss of ~~its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry~~ earnings caused or ~~complaint received from a data subject, regulator or other third party~~ suffered in connection with the ~~processing~~ Selection Process and/or the pre- production and /or production of ~~Personal Data (collectively~~the proposed Programme or any advice given to the Applicant by the Company or its employees, ~~"Correspondence"), it~~ servants or contractors unless caused by the negligence of the Company and recoverable on that ground. 16. The Applicant agrees that the Contribution shall ~~promptly inform Provider~~ be true and original to the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence~~ Applicant and ~~fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient~~ shall not ~~transfer~~ contain anything which is defamatory or an infringement of copyright or in contempt of court or which is calculated to bring the Programme, the Company or the commissioning broadcaster into disrepute. 17. Nothing contained in this Agreement shall constitute an undertaking by the Company to produce or exhibit the Programme or to use the Contribution or any ~~Personal Data~~ part of it in the Programme or its exploitation. 18. The Applicant is free to enter this Agreement and hereby agrees to indemnify the Company in respect of all actions, proceedings, claims, damages and other liabilities, which may be brought against or incurred by the Company as a ~~territory outside~~ result of the ~~European Economic Area~~ breach of any of the Applicant’s warranties, representations, obligations or undertakings contained in this Agreement. 19. The Company shall be entitled to assign the benefit of this agreement either in whole or in part to any of its subsidiary or associated companies or successors in title and/or any third party. 20. The Applicant agrees that in the event of any breach of this agreement by the Company the Applicant shall not be entitled to enjoin and/ or injunction the distribution and/or exploitation of the Programmes and any legal remedy the Applicant may have shall lie in an action at law for damages. 21. The provisions of the Contracts (~~"EEA"~~Rights of Third Parties) ~~unless~~ Act 1999 shall apply to this Agreement to the extent that it ~~has taken such measures as are necessary to ensure the transfer~~ confers benefits on Bah Media Film Production Limited and or ▇▇▇▇▇▇▇ ▇▇▇ but not otherwise, and it is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data to a country~~ expressly agreed that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors breach of the ~~Original Material~~ terms of this Agreement shall entitle Bah Media Film Production Limited and ~~may not combine Data~~ or ~~results~~ ▇▇▇▇▇▇▇ ▇▇▇, as interested parties (and no other third party) in their own right, jointly and severally to enforce the terms of this Agreement in part or in full. 22. The Courts of England shall have exclusive jurisdiction in relation to the terms and conditions of the ~~Project with other data~~ Agreement, which ~~may result in identification~~ shall be interpreted according to the laws of ~~a donor~~England.

Appears in 1 contract

Sources: Applicant Release Form and Confidentiality Agreement

Data Protection. 10.1 The ~~parties~~ Parties shall at all times comply with the Data Legislation. 10.2 The Council and the Recipient acknowledge that ~~personal data may be transferred under this agreement (“~~each Party is individually a Data Controller in respect of any Personal ~~Data”)~~ Data Processed by it and each ~~party will fully~~ agree to comply with its ~~respective~~ obligations under Data Protections Legislation accordingly. 10.3 The Recipient agrees that it is the data controller of any personal data processed by it pursuant to the Project/Funded Activities, as those terms are defined in the Data Protection Legislation in force at the relevant time. It will comply fully with the Data Protection Legislation to the extent that they are applicable to it and with the ICO’s public guidance for data controllers. 10.4 The Recipient shall (and shall procure that any of its staff, employees, agents, consultants, third party or any Sub-Recipient involved in connection with the activities under the Agreement shall) comply with their obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ shall enter into appropriate arrangements with ~~such Personal Data. Taking into account~~ third parties. 10.5 On request from the ~~state of the art~~Council, the ~~costs of implementation~~ Recipient will provide the Council with all such relevant documents and information relating to the ~~nature, scope, context~~ Recipient’s data protection policies and ~~purposes of processing as well~~ procedures as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or Council may reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentrequire. In the event that ~~Recipient receives (i) any request from a data subject~~ the Parties agree it is necessary to ~~exercise any of its rights under Privacy Laws in relation to~~ share, exchange or jointly hold Personal Data for the purpose of fulfilling the Parties obligations under this Agreement (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the except where one Party shall be processing of Personal Data on the other’s behalf) then the Parties shall: (~~collectively~~a) where possible in order to facilitate the exchange of information, ~~"Correspondence"),~~ anonymise or aggregate such information to the degree that it ~~shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to~~ does not identify any individual; and (b) agree such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures additional or varied terms as are necessary to ensure ~~the transfer is in~~ full compliance with the ~~Privacy Laws. Such measures may include transferring~~ Data Protection Legislation. 10.6 In the event that the Parties agree it is necessary to share, exchange or jointly hold Personal Data for the purpose of fulfilling the Parties obligations under this Agreement (except where one Party shall be processing Personal Data on the other’s behalf) then the Parties shall: (a) where possible in order to facilitate the exchange of information, anonymise or aggregate such information to the degree that it does not identify any individual; and (b) agree such additional or varied terms as are necessary to ensure full compliance with the Data ~~to a country~~ Protection Legislation. 10.7 In the event that the ~~European Commission has decided provides adequate protection for personal data;~~ Council determines that the Recipient is processing Personal Data on the Council’s behalf then the Recipient shall immediately enter into a Data Processing Agreement with the Council on reasonable terms to be determined by the Council to ensure full compliance with the Data Protection Legislation. Failure by the Recipient to enter into such an agreement shall constitute a ~~Recipient that has achieved binding corporate rules authorization~~ serious breach of this Agreement and the Council may exercise its rights under this Agreement to withhold/suspend/reduce payment or require payment in full or part of the Grant in accordance with ~~Privacy Laws;~~ clause 11 and/or terminate this Agreement in accordance with clause 18. 10.8 The Recipient shall indemnify and keep the Council indemnified in full for any and all costs, claims, losses, damages, expenses, liabilities, fines, penalties, interest or to otherwise for which the Council may become liable as a ~~Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors~~ result of the ~~Original Material and may~~ Recipient’s failure (or the Recipient’s employee’s agents or any sub-recipient’s failure) to comply with their obligations under Data Protection Legislation or this clause 10. 10.9 Any clause in this Agreement limiting the Recipient’s liability in respect of any obligations, costs, claims, losses, damages, expenses, liabilities, fines, penalties, interest or otherwise under the Data Protection Legislation and/or this clause 10 shall not ~~combine Data or results of the Project with other data which may result in identification of a donor~~apply.

Appears in 1 contract

Sources: Support Agreement

Data Protection. The ~~parties~~ Parties acknowledge that ~~personal data~~ for the purposes of the Data Protection Legislation, the Council is the Controller and the Contractor is the Processor. The only processing that the Contractor is authorised to do is listed in Schedule 3 by the Council and may not be ~~transferred under this agreement~~ determined by the Contractor. The Contractor shall (~~“Personal Data”~~and shall procure that any of the Contractor Staff involved in the provision of the Agreement) ~~and each party will fully~~ comply with ~~its respective~~ any notification requirements under the DPA and both parties will duly observe all their obligations under the ~~General~~ DPA which arise in connection with the Agreement. The Contractor shall comply with any notification requirements under the Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”)~~shall observe all of its obligations under the Data Protection Legislation which arise during the Term of the Agreement. The ~~parties~~ Contractor acknowledges that they shall not hold or process any personal data unless such data applies for the performance of the Agreement a process shall be agreed between the Contractor and the Council as to how the personal data shall be managed. If a breach does occur by the Contractor of its obligations under the Data Protection Legislation then the Council may terminate the Agreement. If the Contract is terminated by the Council the Contractor shall comply with the Council’s requirements which may include: the delivery of the originals of such information, records and papers to the Council’s offices or such other address as specified by the Council, and/or; immediately destroy all original and copies of such information, records and papers; The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 3, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Council before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 3); it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they: are ~~independent controllers~~ aware of ~~their~~ and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing ~~operations performed~~ of the Personal Data; at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. Subject to clause 12.9, the Contractor shall notify the Council immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such ~~Personal Data~~request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause 12.8 shall include the provision of further information to the Council in phases, as details become available. Taking into account the ~~state~~ nature of the ~~art~~processing, the ~~costs~~ Contractor shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.8 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: the Council with full details and copies of ~~implementation~~ the complaint, communication or request; such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Council, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Council following any Data Loss Event; assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than two hundred and fifty (250) staff, unless: the Council determines that the processing is not occasional; the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the ~~nature, scope, context and purposes of~~ Council determines that the processing ~~as well as the~~ is likely to result in a risk ~~of varying likelihood and severity for~~ to the rights and freedoms of ~~data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing~~ Data Subjects. The Contractor shall allow for audits of ~~Personal~~ its Data ~~will meet~~ Processing activity by the ~~requirements of~~ Council or the ~~Privacy Laws~~Council’s designated auditor. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from The Contractor shall designate a data ~~subject~~ protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer process any Personal Data related to ~~a territory outside~~ this Agreement, the Contractor must: notify the Council in writing of the ~~European Economic Area~~ intended Sub-processor and processing; obtain the written consent of the Council; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 12 such that they apply to the Sub-processor; and provide the Council with such information regarding the Sub-processor as the Council may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. The Council may, at any time on not less than twenty (~~"EEA"~~20) ~~unless~~ Working Days’ notice, revise this clause by replacing it ~~has taken such measures as are necessary~~ with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than twenty (20) Working Days’ notice to the Contractor amend this agreement to ensure ~~the transfer is in compliance~~ that it complies with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved any guidance issued by the ~~European Commission~~Information Commissioner’s Office. ~~Recipient will not make any effort to identify individuals who are or may be~~ The provisions of this clause shall apply during the ~~donors~~ continuance of the ~~Original Material~~ Agreement and ~~may not combine Data~~ indefinitely after its expiry or ~~results of the Project with other data which may result in identification of a donor~~termination.

Appears in 1 contract

Sources: Goods, Service & Works Agreement

Data Protection. ~~The parties acknowledge~~ 11.1 For the purposes of this Schedule "Personal Data", "Data Processor", "Data Subject", "Data Controller" and "Process" shall have the meanings ascribed to them in the Data Protection Act 1998 (the "DPA") as amended or re-enacted from time to time. 11.2 LRQA warrants and represents that ~~personal data may be transferred~~ it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this ~~agreement~~ Agreement. 11.3 LRQA undertakes that to the extent that LRQA and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Agency (“"the Agency’s Personal Data”") ~~and each party~~ for the purpose of providing the Services, it will ~~fully~~ at all times comply with ~~its respective obligations under~~ the ~~General~~ provisions of the DPA for the time being in force, including without limitation the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Principles set out in Schedule 1 of the ~~art~~DPA. In particular, LRQA agrees to comply with the ~~costs of implementation~~ requirements and obligations imposed on the ~~nature, scope, context~~ Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 10.3.1 LRQA shall at all material times have in place and ~~purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Agency’s Personal Data and any person it authorises to have access to any the Agency’s Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the Agency’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Agency, when providing the Services on the Agency’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 10.3.2 LRQA shall only process Personal Data for and on behalf of the Agency for the purpose of performing the Services in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written Instructions from the Agency to ensure compliance with the DPA; 10.3.3 LRQA shall allow the Agency to audit LRQA's compliance with the requirements of this Clause 11 on reasonable notice and/or, at the ~~Privacy Laws. Recipient agrees~~ Agency’s request, provide the Agency with evidence of LRQA's compliance with the obligations within this Clause 11. 11.4 LRQA undertakes not to ~~notify Provider within a period~~ disclose or transfer any of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ the Agency’s Personal Data ~~has been~~ to any third party without the prior written consent of the Agency save that without prejudice to Clause 11.3 LRQA shall be entitled to disclose the Agency’s Personal Data to employees and third parties to whom such disclosure is reasonably necessary in order for LRQA to carry out the Services, or ~~may have been lost, damaged or subject~~ to ~~unauthorized internal or external access or any other unlawful processing (~~the extent required under a ~~“Security Incident”) and to~~ court order. 11.5 LRQA shall: 11.5.1 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ Consultant Personnel who have access to the ~~event~~ Personal Data; 11.5.2 ensure that ~~Recipient receives (i) any request from a data subject~~ all Consultant Personnel required to ~~exercise~~ access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 11; 11.5.3 ensure that none of Consultant Personnel publish, disclose or divulge any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to ~~a territory outside of the European Economic Area ("EEA")~~ any third party unless ~~it has taken such measures as are necessary~~ directed in writing to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Agency;

Appears in 1 contract

Sources: Services Agreement

Data Protection. 12.1 The parties will comply with the applicable requirements of the Data Protection Legislation. 12.2 Each party shall only process Personal Data for the purposes of complying with and for the duration of this Agreement, unless a party is permitted or required to keep the Personal Data for a longer period by law. 12.3 Where the BID Company is processing Personal Data on behalf of the Council, the parties acknowledge that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Council is the ~~state of the art, the costs of implementation~~ Controller and the ~~nature, scope, context and purposes~~ BID Company is the Processor. Both parties shall ensure that they each hold a record of processing as ~~well~~ required by the Data Protection Legislation. 12.4 Where the BID Company is processing Personal Data on behalf of the Council, the Council will ensure that it has the necessary consents or can comply with another processing condition contained within the Data Protection Legislation and that it has the appropriate notices and privacy 12.5 Where the BID Company is acting as a Processor, the ~~risk of varying likelihood and severity for~~ BID Company shall: a) act only on the ~~rights and freedoms of data subjects, Recipient will maintain~~ Council’s written instructions; b) have in place appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that~~ against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. Such measures shall be appropriate to the harm that might result from the unauthorised or unlawful processing; c) ensure any staff who have access to the Personal Data are obliged to keep it confidential; d) assist the Council (at the BID Company’s own cost) to respond to an individual’s request to enforce their rights of subject access, rectification, erasure and any other rights conferred by the Data Protection Legislation; e) assist the Council (if requested) (at the BID Company’s own cost) with respect to security, breach notifications, impact assessments and any investigations by a supervisory authority; f) notify the Council without undue delay in the event of a data security breach and where acting as a Processor shall assist with any investigation; g) maintain and keep up to date the data processing record referred to above; h) delete or return all personal data to the Council as requested at the end of the Agreement (unless already deleted in line with the Council’s retention policy); and i) submit to audits and inspections and provide the Council with whatever information it needs to ensure that both parties are complying with their obligations under the Data Protection Legislation and inform the Council immediately if asked to do something that is likely to infringe the Data Protection Legislation or other law of the UK, EU or a member state; j) only process Personal Data relevant to this agreement from the relevant categories of individuals listed below: 1. Council staff and members 2. Members of the public 3. Council customers 4. Council contractors or other suppliers k) not appoint a third-party sub-processor without the prior written consent of the Council. The BID Company shall ensure that any third-party processor will ~~meet~~ enter into an agreement incorporating the same or substantially similar terms contained herein in relation to the Data Protection Legislation; l) enter into a data transfer agreement, where this agreement will involve or require a transfer of any Personal Data from one country to a country outside the country of origin and if required by applicable law, that is consistent with the requirements of applicable law and ensures that: 1. the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may~~ individuals have ~~been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ enforceable rights and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ effective legal remedies in relation to any transferred Personal ~~Data (including its rights~~ Data; and 2. adequate levels of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ protection in ~~connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ relation to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data ~~to a territory outside~~ that is transferred. 12.6 The provisions of this clause shall apply during the continuance of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; Agreement and indefinitely after its expiry or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donortermination.

Appears in 1 contract

Sources: Operating Agreement

Data Protection. ~~The parties acknowledge that~~ Protection of personal privacy and data ~~may~~ shall be ~~transferred under~~ an integral part of the business activities of Vendor to ensure there is no inappropriate or unauthorized use of the State of Iowa’s Confidential Information at any time. To this ~~agreement (“Personal Data”)~~ end, Vendor shall safeguard the confidentiality, integrity and ~~each party will fully~~ availability of the State of Iowa’s Confidential Information. In so doing, Vendor shall comply with ~~its respective obligations under~~ the ~~General Data Protection Regulation (EU)2016/679~~ following conditions: Vendor shall implement and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of State of Iowa Confidential Information. Such security measures shall be in accordance with recognized industry practice (including, NIST 800-53 Revision 4 and ISO27001:2013 standards and controls) and not less stringent than the measures the Vendor applies to its own personal data and non-public data of similar kind. Additionally, such ~~a manner~~ securities measures, to the extent applicable, shall comply with, and shall enable the State to at all time comply fully with, all applicable federal, state, and local laws, rules, ordinances, codes, regulations and orders related to such security measures or other date security or safeguarding requirements, including but not limited to [name any specific laws or rules that ~~processing~~ may be of import, including Vendor’s potential obligation to ensure State’s compliance with laws applicable to the State, rather than Vendor]. All State of Iowa Confidential Information shall be encrypted at rest and in transit with controlled access. Unless otherwise expressly provided herein or otherwise agreed to by the Parties in writing, Vendor is responsible for encryption of all State of Iowa Confidential Information. Additionally, Vendor shall ensure hard drive encryption consistent with validated cryptography standards as referenced in Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules for all Personal Data, unless the State of Iowa approves in writing the storage of Personal Data ~~will meet the requirements~~ on a Vendor portable device. At no time shall any State of ~~the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ Iowa Confidential Information be copied, disclosed or ~~reasonably suspects that Personal Data has been or may have been lost~~retained by Vendor, ~~damaged or subject to unauthorized internal or external access~~ any subcontractor, or any ~~other unlawful processing (a “Security Incident”) and~~ party related to ~~take reasonable steps to mitigate~~ Vendor for subsequent use in any transaction that does not include the ~~impact~~ State of Iowa. Vendor shall not use any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ State of ~~its rights under Privacy Laws in relation to Personal Data (including its rights of access~~Iowa Confidential Information collected, ~~correction~~processed, ~~objection and erasure); and (ii) any other correspondence, inquiry~~ stored or ~~complaint received from a data subject, regulator or other third party~~ transmitted in connection with the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ Services provided under this Agreement for any purpose other than fulfilling Vendor’s express obligations and ~~the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations~~ duties under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Agreement.

Appears in 1 contract

Sources: Software as a Service and Professional Services Agreement

Data Protection. 15.1 ▇▇▇▇’s Privacy Policy explains how and for what purposes we collect, use, retain, disclose, and safeguard the Personal Data that the Client provides to Nium. The ~~parties acknowledge~~ Client agree to the terms of ▇▇▇▇’s Privacy Policy, which Nium may update from time to time. 15.2 The Client represents and warrants to Nium that ~~personal~~ it has the legal right to disclose all Personal Data disclosed to Nium under or in connection with this Agreement. 15.3 Nium and the Client each acknowledges and agrees that they each act as independent data ~~may be transferred~~ controller, or the equivalent under Data Protection Legislation in relation to the Personal Data they each Processes under or in connection with this ~~agreement (“Personal Data”) and each party will fully~~ Agreement. Each Party shall comply with its respective obligations under ~~the General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Legislation. 15.4 Nium and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner Client shall each ensure that ~~processing of~~ access to Personal Data ~~will meet~~ is limited to Nium’s or the ~~requirements of~~ Client’s Personnel who have a reasonable need to access Personal Data to enable the ~~Privacy Laws. Recipient agrees~~ Nium or the Client to ~~notify Provider within a period of 48 hours where Recipient~~ perform its respective obligations under this Agreement. 15.5 If Nium or the Client receives or becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the ~~processing of Personal Data (collectively, "Correspondence")~~following, it shall promptly ~~inform Provider~~ notify the other Party of: (a) any breach of security or unauthorised access to Personal Data within forty eight (48) hours of becoming aware of such incident; and (b) any complaint, inquiry or request from a Data Subject or Data Protection Authority regarding Personal Data unless such notice is prohibited by Data Protection Legislation. 15.6 Each Party shall refrain from notifying or responding to any Data Subject or Data Protection Authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) by Data Protection Legislation. 15.7 The Client acknowledges and agrees that ▇▇▇▇, at its sole discretion, may disclose any Personal Data or transaction-related information to the Program Bank or third parties ~~shall cooperate~~ in ~~good faith~~ order to perform Nium’s obligations under this Agreement as required under Law, including but not limited to anti-money laundering, sanctions, or as may otherwise be required by Law. Furthermore, such disclosure may be made to any Regulatory Authority, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such Regulatory Authority in the ordinary course of business. 15.8 Nium may transfer Personal Data on a global basis as necessary to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws~~provide the Services. ~~Upon Provider’s request~~In particular, ~~Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not~~ Nium may transfer ~~any~~ Personal Data to ~~a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is~~ its Affiliates and sub-processors in ~~compliance with the Privacy Laws~~other jurisdictions. ~~Such measures may include transferring the~~ Where Nium transfers Personal Data under this Agreement to a country ~~that the European Commission has decided provides~~ or recipient not recognised as having an adequate level of protection for ~~personal data;~~ Personal Data according to ~~a Recipient that has achieved binding corporate rules authorization in accordance~~ Data Protection Legislation, Nium will comply with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine its obligations under Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 1 contract

Sources: Nium Services Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each~~ 16.1 Each party ~~will fully~~ shall comply with ~~its respective~~ all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation. 16.2 Incisive and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ the ~~state~~ Sponsor acknowledge that for the purposes of the ~~art~~Data Protection Legislation, either party may be the Data Controller depending upon what is speciﬁed in the Order Form. 16.3 Without prejudice to the generality of clause 16.1, the ~~costs~~ Data Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of ~~implementation and~~ the ~~nature, scope, context~~ Personal Data to the Data Processor for the duration and purposes of ~~processing as well~~ this Agreement. 16.4 Without prejudice to the generality of clause 16.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by it of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Data Controller unless the Data Processor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Data Processor to process Personal Data (Applicable Laws). Where the Data Processor is relying on laws of a member of the European Union or European Union law as the ~~risk~~ basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of ~~varying likelihood and severity for~~ this before performing the ~~rights and freedoms of data subjects, Recipient will maintain~~ processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller; (b) ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring conﬁdentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner aNer an incident, and regularly assessing and evaluating the eﬀectiveness of the technical and organisational measures adopted by it); (~~including its rights of access, correction, objection and erasure); and (ii~~c) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ conﬁdential; and (d) not transfer any Personal Data ~~to a territory~~ outside of the European Economic Area ~~("EEA")~~ unless ~~it has taken such measures as are necessary to ensure~~ the ~~transfer is in compliance with the Privacy Laws. Such measures may include transferring~~ prior written consent of the Data Controller has been obtained and the following conditions are fulﬁlled: (i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to ~~a country~~ the transfer; (ii) the data subject has enforceable rights and eﬀective legal remedies; (iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the ~~European Commission has decided provides adequate protection for personal data;~~ Data Processor complies with reasonable instructions notiﬁed to ~~a Recipient that has achieved binding corporate rules authorization~~ it in ~~accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved~~ advance by the ~~European Commission. Recipient will not make any effort~~ Data Controller with respect to ~~identify individuals who are or may be~~ the ~~donors~~ processing of the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~Personal Data;

Appears in 1 contract

Sources: Event Sponsorship Agreement

Data Protection. The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ in relation to: Personal Data processed by the Contractor in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Contractor shall be the sole Data Controller; and Personal Data, the processing of which is required by CGL or the Head Contractor for the purposes of quality assurance, performance management and contract management CGL, the Head Contractor and the Contractor will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations~~ . Where CGL or the Head Contractor requires information under clause 6.1.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Contractor shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of CGL or the ~~Privacy Laws~~Head Contractor, the Contractor shall provide such information in pseudonymised form where possible. ~~Recipient agrees to notify Provider within a period~~ Schedule 2 sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident~~Processing. In Each Party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (14) days of written notice from the other Party, gives grounds to the other Party to terminate this Agreement with immediate effect. In relation to the Processing of any Personal Data, each Party shall: ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose; give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing; process the Personal Data only for the Agreed Purpose; not disclose or allow access to the Personal Data to anyone other than the Permitted Recipients; ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the care and handling of Personal Data; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including ~~its rights~~ obligations of ~~access~~confidentiality) which are no less onerous than those imposed by this Agreement; ensure that it has in place appropriate technical and organisational measures, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ to protect against unauthorised or ~~complaint received from a data subject, regulator or other third party in connection with the processing~~ unlawful Processing of Personal Data ~~(collectively~~and against accidental loss or destruction of, ~~"Correspondence")~~or damage to, it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ in accordance with Article 32 GDPR; not transfer any Personal Data ~~to a territory~~ outside of the European Economic Area unless the transferor ensures that (~~"EEA"~~i) ~~unless it has taken such measures as are necessary to ensure~~ the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission~~Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer; and assist the other Party (at its own cost) in responding to any request from a Data Subject and in ensuring its compliance with all applicable requirements and obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or the UK’s Information Commissioner’s Office. ~~Recipient will~~ Each Party shall notify the other Party without undue delay on becoming aware of any Personal Data Breach under this Agreement. Each Party acknowledges that the Party is committed to eliminating all risk of bribery and corruption in its business relationships. Each Party acknowledges and agrees that the other Party shall not be under any obligation to carry out any action or make any ~~effort~~ omission under this Agreement to ~~identify individuals who are or may~~ the extent that it reasonably believes would be ~~the donors~~ in breach of ~~the Original Material~~ any Anti-Corruption Legislation. Each Party acknowledges and ~~may not combine Data or results of the Project with other data which may result~~ agrees that neither it nor any third party has breached any Anti-Corruption Legislation in ~~identification of a donor~~order for it to enter into this Agreement.

Appears in 1 contract

Sources: Service Level Agreement

Data Protection. The processing of the personal data included in the heading of this contract shall be carried out in accordance with the provisions of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and shall be incorporated into the processing system owned by Consorci de la ▇▇▇▇ ▇▇▇▇▇▇ de Barcelona, hereinafter “CZFB”, for the purpose of providing you with the services contracted as a client and to send you advertising and commercial prospecting and/or documents and communications that may be of interest to you. The parties ~~acknowledge~~ shall at all times properly comply with the provisions contained in the aforementioned Regulations and any other regulations in force or that ~~personal~~ may be enacted in the future on the subject. The data collected will be kept for the duration of the service, as well as during the periods of limitation of legal actions in case of possible liability that may arise from the contractual relationship, and will be treated in a lawful, fair, transparent, relevant, limited, and updated, taking all reasonable measures to ensure that they are deleted or rectified without delay when they are inaccurate. Also, your data may be ~~transferred under this agreement (“Personal Data”)~~ communicated to public administrations and ~~each party will fully comply with its respective obligations under~~ all those entities and collaborators that are necessary to provide the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~services. ~~The parties are independent controllers~~ Failure to provide the data to the aforementioned entities implies that the provision of ~~their processing operations performed with such Personal Data~~services cannot be fulfilled. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or You may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise ~~any of its rights under Privacy Laws in relation to Personal Data (including its~~ your rights of access, ~~correction~~rectification, ~~objection~~ suppression and ~~erasure);~~ opposition, limitation of processing, data portability and ~~(ii)~~ not to be subject to automated individualized decisions, by sending your request to Consorci de la ▇▇▇▇ ▇▇▇▇▇▇ de Barcelona, Av. Parc Logístic, 2-10, 08040 Barcelona, or by e-mail to ▇▇▇@▇▇▇▇▇▇▇▇▇▇▇.▇▇, and submit to the competent Control Authority the claim you deem appropriate. CZFB undertakes not to disclose any confidential data relating to the other ~~correspondence, inquiry or complaint received from a~~ Party’s business to which it may have access without the prior express consent of the other Party. CZFB also guarantees that it has informed and obtained the agreement of its employees to the express prohibition on disclosing any data ~~subject, regulator or other third party~~ to which they may accidentally have access in connection with the ~~processing~~ services provided, and the commitment to maintain the secrecy of such information and documentation to which they may have access, in accordance with Article 5 of Organic Law 3/2018 of 5 December on the Protection of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider~~ and the ~~parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws~~guarantee of digital rights. Upon ~~Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ completion of the ~~European Economic Area ("EEA")~~ agreed services, CZFB shall proceed to delete or, where appropriate, return the personal data obtained during the performance of the services, regardless of the medium or document on which they are contained, unless ~~it has taken such measures as are necessary to ensure~~ the ~~transfer~~ retention of the personal data is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved required by the ~~European Commission~~applicable regulations. ~~Recipient will not make any effort to identify individuals who are or may~~ It shall be the ~~donors~~ responsibility of the ~~Original Material and may not combine Data or results~~ recipient to control the disclosure of ~~the Project with other~~ such data ~~which may result in identification of a donor~~within its organization.

Appears in 1 contract

Sources: Not Specified (Wallbox N.V.)

Data Protection. Each party warrants that it shall comply with the Data Protection Laws and take appropriate technical and organisational measures against the unauthorised or unlawful collection, holding, processing, use, and/or access of any Personal Data which it receives from the other party and against the unauthorised or accidental access, erasure, loss, use, destruction of, or damage to, such Personal Data The ~~parties acknowledge~~ Client acknowledges that ~~personal data may be transferred~~ it shall receive Personal Data relating to the candidates under this ~~agreement (“~~Agreement and as part of the Introduction services. Therefore, the Client shall: only use the Personal ~~Data”)~~ Data of a candidate to the extent necessary to evaluate that candidate, and ~~each party~~ shall not keep the Personal Data for longer than is necessary to do so; ensure that access to the Personal Data of a candidate is limited to employees that strictly need to access such Personal Data for the purpose of evaluating that candidate and that such employees will ~~fully comply with its respective obligations under~~ be informed of the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ confidential nature of ~~their processing operations performed with~~ such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner ; ensure that ~~processing of~~ all Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes~~ provided under this Agreement is treated as strictly confidential; ensure that Personal Data is not accessible by any Unauthorised Persons; immediately inform Phaidon on becoming aware ~~of or reasonably suspects~~ that any Personal Data has been ~~or may have been~~ lost, ~~damaged~~ destroyed or ~~subject~~ stolen; and not transfer the Personal Data outside of Hong Kong unless the Client can demonstrate (to ~~unauthorized internal~~ Phaidon’s reasonable satisfaction) that the Personal Data will be afforded an adequate level of protection as required under the Data Protection Laws. The ClientBoth parties acknowledges and agrees that Phaidoneither party will not tolerate bribery in any form in connection with the conduct of its business. The ClientBoth parties shall comply with all applicable laws, statutes, regulations, codes and guidance relating to anti-bribery and anti-corruption ("Anti-Bribery Laws"), including without limitation the CAP 201 Prevention of Bribery Ordinance, and shall; not engage in any activity, practice or ~~external access~~ conduct which would constitute an offence under the CAP 201 Prevention of Bribery Ordinance; not do, or omit to do, any act that will cause Phaidoneither party to be in breach of the Anti-Bribery Laws; and promptly report to Phaidonthe other ~~unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact~~ party any request or demand for any undue financial or other advantage of any ~~such Security Incident. In~~ kind received by the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third Client party in connection with the ~~processing~~ performance of ~~Personal Data (collectively, "Correspondence"), it~~ this Agreement. The Client shall promptly ~~inform Provider and~~ notify Phaidon if, at any time during the ~~parties shall cooperate~~ term of this Agreement, its circumstances, knowledge or awareness changes such that it would not be able to repeat the warranties set out in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws~~these clauses. ~~Upon Provider’s request, Recipient shall restrict the processing~~ Breach of ~~Personal Data identified by Provider. Recipient shall not transfer~~ any ~~Personal Data to a territory outside~~ of the ~~European Economic Area ("EEA") unless it has taken such measures~~ Anti-Bribery clauses shall be deemed a material breach of this Agreement. The breaching Clientparty shall indemnify Phaidonthe non-breaching party against any losses, liabilities, damages, costs and expenses incurred by Phaidonnon-breaching party as ~~are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to~~ a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual result of any breach of these clauses ~~adopted or approved~~ by the ~~European Commission. Recipient will not make~~ Clientbreaching party (including any ~~effort to identify individuals who are~~ consequential loss or ~~may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~damage).

Appears in 1 contract

Sources: Recruitment Agreement

Data Protection. 11.1 The parties ~~acknowledge~~ agree that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective~~ in performing their obligations under the ~~General~~ Agreement, they shall comply with the provisions of all applicable Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”).~~ Legislation to the extent it applies to them. 11.2 The parties ~~are independent~~ shall be separate data controllers of ~~their processing operations performed with such~~ any Personal ~~Data. Taking into account~~ Data obtained from the ~~state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity~~ other for the ~~rights~~ purpose of this Agreement. 11.3 The parties shall process the Personal Data only in accordance with the Data Protection Legislation and ~~freedoms of~~ shall not process the Personal Data for any purposes other than those as may be expressly authorised from time to time. 11.4 The parties will ensure that the Personal Data is only released to authorised individuals who are trained in data ~~subjects, Recipient will maintain~~ protection and have committed themselves to confidentiality. 11.5 The parties shall ensure that they have in place appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ provided against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the ~~requirements~~ risk represented by the processing and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within~~ be protected. 11.6 The parties shall implement appropriate records keeping practices, making such records available to the parties or a ~~period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ supervisory authority on request. 11.7 The parties shall not transfer any personal data to any country outside the European Economic Area without demonstrating appropriate safeguards under Data Protection Legislation. 11.8 Where one party shares Personal Data with the other party the disclosing party warrants: (i) The Personal Data has been ~~or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ obtained by the ~~impact of any such Security Incident. In~~ disclosing party in accordance with the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Data ~~(including its rights of access, correction, objection and erasure); and~~ Protection Legislation; (ii) Privacy notices provided to Data Subjects are compliant with, and have been provided to the Data Subject in a manner which is compliant with, the Data Protection Legislation; (iii) There are no circumstannces of which the disclosing party is aware which are likely to give rise to a breach of the Data Protection Legislation in the future (including any ~~other correspondence~~unauthorised disclosure) or any notice, ~~inquiry~~ complaint, claim or ~~complaint received~~ notification from a ~~data subject, regulator~~ Data Subject or ~~other third party in connection with~~ regulator; and (iv) Transferring the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to ~~a territory outside of~~ the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization recipient in accordance with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient~~ this Agreement will not ~~make any effort to identify individuals who are or may be the donors~~ constitute a breach of the ~~Original Material and may not combine~~ Data ~~or results of the Project with other data which may result in identification of a donor~~Protection Legislation.

Appears in 1 contract

Sources: Agreement Between Icaew and the School for Services Related to Competitions

Data Protection. 2.1 Arrangement between the parties 2.1.1 The parties shall each Process the Personal Data. The parties acknowledge that ~~personal data may~~ the factual arrangements between them dictate the classification of each party in respect of the Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between the Training Provider and ISL for the purposes of this Contract, the Training Provider shall act as a Controller and ISL shall, depending on the circumstances of the processing, act as a Controller or a Processor, as follows: a The Training Provider shall be ~~transferred~~ a Controller where it is Processing Personal Data in relation to Delegates; b ISL shall be a Controller in relation to passing enquiries from potential Delegates to the Training Provider, and related obligations; and c ISL shall be a Processor where it is Processing Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under this ~~agreement (“Personal Data”)~~ Contract. 2.1.2 Each party acknowledges and ~~each party~~ agrees that Appendix A to this Contract is an accurate description of the Data Processing Particulars. 2.1.3 ISL undertakes to the Training Provider that it will ~~fully comply~~ take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Data Protection Laws and ISL will, at its ~~respective~~ own expense, assist the Training Provider in discharging its obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Laws as more particularly detailed in this paragraph 2. ISL shall not, whether by act or omission, cause the Training Provider to breach any of its obligations under the Data Protection Laws. 2.1.4 Each party shall comply with all the obligations imposed on a Controller under the Data Protection Laws. 2.2 Data Processor obligations 2.2.1 To the extent that ISL Processes any Personal Data as a Processor for and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state on behalf of the ~~art,~~ Training Provider (as the ~~costs~~ Controller) it shall: a only Process the Personal Data for and on behalf of ~~implementation and~~ the ~~nature, scope, context and~~ Training Provider for the purposes of ~~processing as well as~~ performing its obligations b keep a record of any Processing of the ~~risk~~ Personal Data it carries out on behalf of ~~varying likelihood~~ the Training Provider; c take, implement and ~~severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures which are sufficient to comply with at least the obligations imposed d within thirty (30) calendar days of a request from the Training Provider, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Training Provider (and/ or its representatives, including its appointed auditors) in ~~such a manner that processing~~ order to ascertain compliance with the terms of this Paragraph 1.2, and provide reasonable e not disclose Personal Data ~~will meet~~ to a third party (including a sub-contractor) in any circumstances without the ~~requirements~~ Training f promptly comply with any request from the Training Provider to amend, transfer or delete any Personal Data; g notify the Training Provider promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or ICO Correspondence and shall: i not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining the ~~Privacy Laws. Recipient agrees~~ Training Provider’s prior written consent; and ii provide the Training Provider with all reasonable co-operation and assistance required by the Training Provider in relation to any such Data Subject Request or ICO Correspondence; h notify the Training Provider promptly (and in any event within ~~a period of 48 hours where Recipient becomes~~ twenty-four (24) hours) upon becoming aware of any actual or ~~reasonably suspects that~~ suspected, threatened or “near miss” Personal Data ~~has been~~ Breach in relation to the Personal Data (and follow-up in writing) and shall: i conduct or ~~may have been lost~~support the Training Provider in conducting such investigations and analysis that the Training Provider reasonably requires in respect of such Personal Data Breach; ii implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and iii assist the Training Provider to make any notifications to the ICO and affected Data Subjects; i comply with the obligations imposed upon a Processor under the Data Protection Laws; j use all reasonable endeavours to assist the Training Provider to comply with the obligations imposed on the Training Provider by the Data Protection Laws, ~~damaged or subject~~ including: i compliance with the Security Requirements; ii obligations relating to ~~unauthorized internal or external access~~ notifications required by the Data Protection Laws to the ICO and/ or any ~~other unlawful processing~~ relevant Data Subjects; iii undertaking any Data Protection Impact Assessments (~~a “Security Incident”) and to take reasonable steps to mitigate~~ and, where required by the ~~impact~~ Data Protection Laws, consulting with the ICO and/or any equivalent regulatory body in respect of any such ~~Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Data ~~(including its rights of access, correction, objection and erasure~~Protection Impact Assessments); and iv without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal k upon the earlier of: i the receipt of a written direction of the Training Provider; ii termination or expiry of this Contract (~~ii) any other correspondence~~as applicable); and iii the date on which Personal Data is no longer relevant to, ~~inquiry~~ or ~~complaint received from~~ necessary for, the Permitted Purpose, ISL shall l not make (nor instruct or permit a ~~data subject, regulator or other~~ third party ~~in connection with the processing~~ to make) a transfer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a ~~territory outside~~ Restricted Country except with the prior written consent of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Training Provider and in accordance with ~~Privacy Laws; or~~ any terms the Training Provider may impose on such transfer as the Training Provider deems necessary to ~~a Recipient~~ satisfy the requirements m maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1.2. 2.3 ISL Personnel 2.3.1 ISL shall only disclose Personal Data to its Personnel that ~~has executed standard contractual clauses adopted or approved~~ are required by ISL to assist it in meeting its obligations under this Contract and shall ensure that such Personnel shall have entered into appropriate contractually- binding confidentiality undertakings. 2.4 Appointing sub-contractors 2.4.1 ISL shall not be permitted to appoint a 2.4.2 Notwithstanding any consent given by the ~~European Commission. Recipient will not make~~ Training Provider under paragraph 2.4.1, ISL shall remain primarily liable to the Training Provider for the acts, errors and omissions of any ~~effort~~ sub-contractor to ~~identify individuals who are or may~~ whom it discloses Personal Data, and shall be responsible to the ~~donors~~ Training Provider for the acts, errors and omissions of such sub-contractor as if they were ISL’s own acts, errors and omissions to the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~extent that ISL would be liable to the

Appears in 1 contract

Sources: Training License Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 26.1 For the purposes of this ~~agreement (~~Clause the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”) , “Process” and ~~each party will fully~~ “Processing shall have the meaning prescribed under the Data Protection ▇▇▇ ▇▇▇▇ (DPA) 26.2 The Recipient shall comply at all times with the Data Protection Legislation and shall not perform its ~~respective~~ obligations under this Agreement in such a way as to cause either the Recipient or the Trust to breach any applicable obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such~~ Legislation. 26.3 To the extent that the Recipient is required to hold or process Personal Data~~. Taking into account~~ , whether the ~~state~~ data is Trust data or Recipient data, the following provisions of this Clause shall have effect. 26.4 The Recipient shall process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the ~~art~~Services or as is required by Law or any Regulatory Body. 26.5 The Recipient shall not delete or remove any proprietary notices contained within or relating to any Personal data. 26.6 The Recipient shall not store, ~~the costs of implementation and the nature~~copy, ~~scope~~disclose, ~~context and purposes of processing~~ process or use Personal Data except as ~~well as the risk of varying likelihood and severity~~ necessary for the ~~rights and freedoms~~ performance by the Recipient of ~~data subjects~~its obligations under this Agreement or as otherwise expressly authorised in writing by the Trust. 26.7 The Recipient shall ensure that any system on which it holds any Personal Data, including back-up data, is a secure system. 26.8 The Recipient ~~will maintain~~ shall implement appropriate technical and ~~organizational~~ organisational measures ~~in such~~ to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected. 26.9 If the Personal Data is corrupted, lost or sufficiently degraded as a ~~manner that processing~~ result of the Recipient’s default so as to be unusable, the Trust may require the Recipient (at its expense) to restore or procure the restoration of Personal ~~Data will meet~~ Data, and the ~~requirements of~~ Recipient shall do so as soon as practicable. 26.10 If at any time the ~~Privacy Laws.~~ Recipient ~~agrees~~ suspects or has reason to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects~~ believe that Personal Data has ~~been~~ or may ~~have been lost~~become corrupted, ~~damaged~~ lost or ~~subject~~ sufficiently degraded in any way for any reason, then the Recipient shall notify the Trust immediately and inform the Trust of the remedial action the it proposes to ~~unauthorized internal~~ take. 26.11 The Recipient shall obtain prior written consent from the Trust in order to transfer the Personal Data to any sub-contractors or ~~external~~ Affiliates for the provision of the Services; 26.12 The Recipient shall ensure that all Recipient Staff required to access ~~or any other unlawful processing (a “Security Incident”)~~ the Personal Data are informed of the confidential nature of the Personal Data and ~~to take reasonable steps to mitigate~~ comply with the ~~impact of any such Security Incident. In~~ obligations set out in this Clause 26.13 The Recipient shall provide the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ Trust with full co-operation and assistance in relation to any complaint or request made in respect of Personal Data, including by; a) providing the Trust with full details of the complaint or request; b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Trust’s instructions; c) providing the Trust with any Personal Data it holds in relation to Data Subject (~~including its rights of access, correction, objection and erasure~~within the timescales required by the Trust); and d) providing the Trust with any information requested by the Trust in respect of any Complaint; 26.14 The Recipient shall permit the Trust or the Trust Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Recipient’s data processing activities (iiand/or those of its agents, subsidiaries and sub-contractors) ~~any other correspondence, inquiry~~ and comply with all reasonable requests or ~~complaint received from~~ directions by the Trust to enable the Trust to verify and/or procure that the Recipient is in full compliance with its obligations under this Agreement 26.15 The Recipient shall provide a ~~data subject, regulator or other third party in connection with~~ written description of the technical and organisational methods employed by the Recipient for processing of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ within 3 months of a request being made by the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Trust 26.16 The Recipient shall not ~~transfer any~~ Process Personal Data ~~to a territory~~ generated or supplied for the purposes of this Agreement outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary~~ without the prior written consent of the Trust and, where the Trust consents to ~~ensure the transfer is in compliance~~ a transfer, to comply with the ~~Privacy Laws. Such measures may include transferring~~ obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to ~~a country~~ any Personal Data that ~~the European Commission has decided provides adequate protection for personal data;~~ is transferred any reasonable instructions notified to ~~a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved~~ it by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorTrust.

Appears in 1 contract

Sources: Grant Agreement

Data Protection. The ~~parties acknowledge that personal~~ Parties, acting both as data ~~may be transferred under~~ controllers in respect of the Personal Information they supply to the other Party, shall, throughout the term of this ~~agreement~~ Agreement, comply with all applicable data protection and privacy Laws, as amended from time to time, including the EU Directive 95/46/EC (EU Data Protection Directive) (“~~Personal Data”) and each party will fully comply with its respective obligations under the General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy~~ Laws”), with respect to the collection, use, processing, storage, transfer, modification, deletion and/or disclosure of any Personal Information under this Agreement. ~~The parties are independent controllers~~ Each Party shall not, through any act or omission, cause the other Party to be in breach of ~~their processing operations performed with~~ its obligations under applicable Data Protection Laws. In particular: (a) Each Party may only use Personal Information it receives from the other Party solely for the purposes of meeting its obligations under this Agreement and may only transmit such Personal ~~Data. Taking into account~~ Information to its Affiliates which are directly involved in the ~~state~~ research, development, Manufacture or Commercialization of Licensed Products and their Agents solely for the purpose of the ~~art~~Agreement, including client relationship management and keeping track of interactions with the other Party. (b) Each Party shall immediately notify the other if: (i) it receives any complaint, notice or communication which relates directly or indirectly to the processing of; or (ii) it becomes aware of any loss or unauthorised use of, or access to, the ~~costs~~ Personal Information supplied by the other Party. (c) Each Party will take appropriate technical and organisational measures against the unauthorised or unlawful processing of ~~implementation~~ Personal Information and against the ~~nature~~accidental loss or destruction of, ~~scope~~or damage to, ~~context~~ Personal Information, including, providing appropriate training and ~~purposes~~ guidance to their respective staff. (d) Personal Information may only be transmitted to entities outside the European Economic Area and Canada where such entity is located in a country or territory which ensures an adequate level of ~~processing as well as the risk of varying likelihood and severity~~ protection for the rights and freedoms of ~~data subjects~~the individual to whom the Personal Information transferred relates, ~~Recipient will maintain appropriate technical and organizational measures~~ or where adequate safeguards are in ~~such a manner that processing of Personal~~ place to ensure compliance with applicable Data ~~will meet the requirements of the Privacy~~ Protection Laws. ~~Recipient agrees~~ The receiving entity must be under obligations to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ protect any Personal ~~Data has been or may have been lost~~Information transferred which are no less onerous than those imposed under this Agreement. (e) Upon request, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ each Party, its employees and ~~to take reasonable steps to mitigate~~ principals can exercise the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, ~~correction, objection~~ rectification and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ erasure in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside respect of the ~~European Economic Area~~ Personal Information it supplies to the other Party, utilizing the notice provisions of this Agreement. (~~"EEA"~~f) ~~unless it has taken such measures~~ The Parties may disclose Personal Information as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; required by regulatory agencies or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorotherwise under applicable Law.

Appears in 1 contract

Sources: License and Joint Venture Agreement (Klox Technologies, Inc.)

Data Protection. ~~The parties acknowledge that~~ 13.1. For the purposes of this Agreement the terms "controller", "data subjects", "personal ~~data may be transferred under~~ data", "processor," "process," and “supervisory authority” shall have the meaning given to them by EU Data Protection Law. 13.2. Diligent will process any Client Personal Data on the Client's behalf as a processor, and the Client is the controller of such data. Each Party undertakes to comply with all Data Privacy Law applicable to such Party and shall not knowingly cause the other to breach Data Privacy Law. 13.3. Diligent will only process the Client Personal Data on documented instructions from the Client (which instructions constitute, for the avoidance of doubt, the instructions to process Client Personal Data in the course of Diligent’s performance of this ~~agreement (“Personal Data”~~Agreement) and ~~each party~~ will ~~fully comply with its respective~~ not process any such Client Personal Data for any purpose except as set out in this Agreement. 13.4. Diligent will implement appropriate technical and organisational security measures (including confidentiality obligations ~~under~~ applicable to Diligent Personnel) to ensure a level of security appropriate to the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties~~ risks that are ~~independent controllers~~ presented by the processing of ~~their processing operations performed with such~~ Client Personal Data. ~~Taking into account~~ In case of a personal data breach which may affect Client Personal Data, Diligent will notify the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes Client without undue delay after becoming aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take it. 13.5. Diligent will use commercially reasonable ~~steps to mitigate the impact of any such Security Incident. In the event that Recipient receives~~ efforts to: (i) ~~any request from a~~ assist the Client in ensuring compliance with the Client's obligation to respond to requests for exercising data ~~subject to exercise any of its~~ subject's rights under EU Data Protection Law; (ii) make available all information reasonably necessary to demonstrate compliance with Data Privacy ~~Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)~~Laws; and (iiiii) ~~any other correspondence~~allow for and contribute to audits, ~~inquiry~~ including inspections and information requests, conducted by the Client or ~~complaint received from~~ an auditor mandated by the Client, provided that such audit shall be constrained to provision of Diligent’s then-current technical Documentation which relates to the processing of Client Personal Data unless otherwise required by a ~~data subject~~supervisory authority. 13.6. Diligent will, ~~regulator~~ at the Client's choice, delete or return all Client Personal Data after termination of this Agreement unless otherwise provided by law. 13.7. The Client acknowledges and agrees that Diligent may retain Affiliates and other third ~~party~~ parties as sub-processors (all together "Sub-Processors") in connection with the ~~processing~~ provision of ~~Personal Data (collectively~~the BoardEffect Platform, ~~"Correspondence"), it shall promptly inform Provider and~~ having imposed on such Sub-Processors the ~~parties shall cooperate~~ same data protection obligations as are imposed on Diligent under this Agreement. Diligent will be liable to the Client for performance of such obligations by the Sub-Processors. 13.8. In order to ensure that adequate safeguards are in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ place for the processing and transfer of ~~Personal Data identified by Provider. Recipient~~ personal data, the Parties shall ~~not transfer any Personal Data to a territory~~ ensure that personal data is transferred outside of the European Economic Area ~~("EEA") unless it has taken such measures as are necessary to ensure~~ only where permitted by EU Data Protection Law. Unless otherwise mutually agreed by the ~~transfer is~~ Parties, Diligent shall only host Client Data in ~~compliance with~~ the ~~Privacy Laws. Such measures may include transferring the Data to a country that~~ United Kingdom, Germany or elsewhere in the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorEconomic Area.

Appears in 1 contract

Sources: Master Terms Agreement

Data Protection. 8.1 The ~~parties acknowledge~~ Parties agree that ~~personal~~ we are a data ~~may be transferred under this agreement (“Personal Data”)~~ controller, and ~~each party will fully comply with its respective obligations under~~ you are a data processor for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing ~~as well as the risk of varying likelihood~~ Personal and ~~severity for the rights~~ Protected Data pursuant to this Agreement. The Parties shall each ensure, and ~~freedoms of~~ shall ensure its Sub-processors shall, at all times comply with all data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party protection laws in connection with the processing of Personal and Protected Data and shall not by any act or omission cause the other (~~collectively~~or any other person) to be in breach of any of the data protection laws. 8.2 The Parties shall only process (and shall ensure personnel only process) the Personal and Protected Data in accordance with this Agreement except where otherwise required by Applicable Laws (and in such a case shall inform the other of that legal requirement before processing, ~~"Correspondence"~~unless Applicable Laws prevent it doing so on important grounds of public interest). A Party shall immediately inform the other if any instruction relating to the Personal and Protected Data infringes or may infringe any data protection law. 8.3 The Parties shall at all times implement and maintain appropriate technical and organisational measures to protect Personal and Protected Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set which shall reflect the nature of the Personal and Protected Data. 8.4 The Parties shall not permit any processing of Personal and Protected Data by any Sub-Contractor or other third party (except its and its authorised Sub-processors own employees that are subject to an enforceable obligation of confidence with regards to the Personal and Protected Data) without the prior specific written authorisation of the other only then subject to such conditions as the other may require. 8.5 The Parties shall ensure that access to Personal and Protected Data is limited to the authorised persons who need access to it for the purposes of this Agreement only. 8.6 The Parties shall prior to the relevant Sub-processor carrying out any processing activities in respect of the Personal and Protected Data, appoint each Sub-processor under a binding written contract containing the same obligations as under this Clause 8 in respect of Personal and Protected Data that (without prejudice to, or limitation of, the above): 8.6.1 includes providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Personal and Protected Data will meet the requirements of all data protection laws; and 8.6.2 is enforceable by the other Party and ensure each such Sub-processor complies with all such obligations. 8.7 The Parties shall each remain fully liable to the other under this Agreement for all the acts and omissions of each Sub-processor and each of their personnel as if they were its own. 8.8 The Parties shall each ensure that all persons authorised by them or any Sub-processor to process Personal and Protected Data are reliable and: 8.8.1 adequately trained on compliance with this Clause 8 as applicable to the processing of data; 8.8.2 informed of the confidential nature of the Personal and Protected Data and that they must not disclose Personal and Protected Data; 8.8.3 subject to a binding and enforceable written contractual obligation to keep the Personal and Protected Data confidential; and 8.8.4 provide relevant details and a copy of each agreement with a Sub-processor to the Customer on request. 8.9 The Parties shall (at its own cost and expense) promptly ~~inform Provider~~ provide such information and assistance (including by taking all appropriate technical and organisational measures) as the ~~parties shall cooperate~~ other as they may require in ~~good faith as necessary~~ relation to the fulfilment of the other’s obligations to respond to requests for data held (and any similar obligations under any applicable data protection laws). 8.10 The Supplier shall (at its own cost and expense) provide such ~~Correspondence~~ information, co-operation and ~~fulfill~~ other assistance to the other as they reasonably require (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with obligations under data protection laws, including: 8.10.1 security of processing; 8.10.2 data protection impact assessments (where applicable under the data protection laws); 8.10.3 prior consultation with a Data Protection Supervisory Authority regarding any high risk processing of data; and 8.10.4 any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under data protection laws relevant to this Agreement, including (subject in each case to the Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to Data Protection Supervisory Authorities and/or communication to any affected Data Subjects. 8.11 The Parties shall (at no cost to the other) record and refer all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to the other which relate (or which may relate) to any Personal and Protected Data promptly (and in any event within [three days] of receipt) and shall not respond to any without the other’s express written approval and strictly in accordance with the other’s instructions unless and to the extent required by Applicable Laws. 8.12 The Parties shall not process and/or transfer, or otherwise directly or indirectly disclose, any Personal and Protected Data in or to countries outside the United States of America or to any International Organisation without the prior written authorisation (which may be refused or granted subject to such conditions as the Company deems necessary). 8.13 The Parties shall each (and shall ensure all Sub-processors shall) promptly make available to the other such information as is required to demonstrate their compliance with their respective obligations under ~~Privacy Laws~~this Clause 8 and the data protection laws, and allow for, permit, and contribute to audits, including inspections, by the other (or another auditor mandated by that other) for this purpose at their request from time to time. ~~Upon Provider’s request~~The Parties shall provide (or procure) access to all relevant premises, ~~Recipient~~ systems, personnel, and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection. 8.14 The Parties shall ~~restrict~~ each promptly notify the ~~processing~~ other if it (or any of ~~Personal Data identified by Provider. Recipient shall not transfer~~ its Sub-processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual, or threatened occurrence of any Personal Data Breach in respect of any Personal and Protected Data. 8.15 The Parties shall each promptly provide all information as the Company requires to report the circumstances referred to in Clause 8.14 to a ~~territory outside~~ Data Protection Supervisory Authority and to notify affected Data Subjects, as applicable, under data protection laws. 8.16 The Parties shall (and shall ensure that each of their Sub-processors and personnel shall), upon written request, either securely delete or securely return all the Personal and Protected Data to the Company in such form as the Customer reasonably requests after the earlier of: 8.16.1 the end of the ~~European Economic Area~~ provision of the relevant Services related to processing of such Personal and Protected Data; or 8.16.2 once processing by the Supplier of any Personal and Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement, and securely delete existing copies (~~"EEA"~~except to the extent that storage of any such data is required by Applicable Laws and, if so, the Supplier shall inform the Customer of any such requirement). 8.17 The Parties shall each indemnify and keep indemnified the Company against: 8.17.1 all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Data Protection Supervisory Authority) ~~unless it has taken such measures as are necessary to ensure~~ arising out of or in connection with any breach by the ~~transfer is in compliance with~~ Supplier of its obligations under clause 6; and 8.17.2 all amounts paid or payable by the ~~Privacy Laws. Such measures may include transferring the Data~~ other to a ~~country that~~ third party which would not have been paid or payable if the ~~European Commission has decided provides adequate~~ Party’s breach of clause 8 had not occurred. 8.18 Unless otherwise expressly stated in this Agreement the Party’s obligations and the Customer’s rights and remedies under this Clause 8 is cumulative with, and additional to, any other provisions of this Agreement. 8.19 Nothing in this Agreement affects the rights of Data Subjects under any relevant data protection law against the Customer, the Supplier, or any Sub-Processor. 8.20 This Clause 13 shall survive termination or expiry of this Agreement for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any ~~effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~reason.

Appears in 1 contract

Sources: Retail Agreement

Data Protection. 20.1 The parties ~~acknowledge~~ agree that ~~personal data may be transferred~~ in relation to: (a) Personal Data processed by the Service Provider in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Service Provider shall be the sole Data Controller; and (b) Personal Data, the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management the Authority and the Service Provider will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations under~~ . 20.2 Where the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Authority requires information, the Service Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of the ~~Privacy Laws. Recipient agrees to notify~~ Authority, the Service Provider ~~within a period~~ shall provide such information in pseudonymised form where possible. 20.3 Schedule 12 sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident. In~~ Processing. 20.4 Each party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. 20.5 Any material breach of the Data Protection Laws by one party shall, if not remedied within fourteen (14) days of written notice from the other Party, gives grounds to the other Party to terminate this Agreement with immediate effect. 20.6 In relation to the Processing of any Personal Data, each party shall: (a) ensure that it has all necessary notices and consents in place to enable lawful sharing of Personal Data to the Permitted Recipients for the Agreed Purpose; (b) give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such Processing; (c) process the Personal Data only for the Agreed Purpose; (d) not disclose or allow access to the Personal Data to anyone other than the Permitted Recipients; (e) ensure that all Permitted Recipients are reliable and have had sufficient training pertinent to the care and handling of Personal Data; (f) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Personal Data (including ~~its rights~~ obligations of ~~access~~confidentiality) which are no less onerous than those imposed by this Agreement; (g) ensure that it has in place appropriate technical and organisational measures, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry~~ to protect against unauthorised or ~~complaint received from a data subject, regulator or other third party in connection with the processing~~ unlawful Processing of Personal Data ~~(collectively~~and against accidental loss or destruction of, ~~"Correspondence")~~or damage to, it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ in accordance with Article 32 GDPR; (h) not transfer any Personal Data ~~to a territory~~ outside of the European Economic Area unless the transferor ensures that (~~"EEA"~~i) ~~unless it has taken such measures as are necessary to ensure~~ the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient will not make any effort~~ Commission as providing adequate protection pursuant to ~~identify individuals who~~ Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or ~~may be the donors~~ (iii) one of the ~~Original Material~~ derogations for specific situations in Article 49 GDPR applies to the transfer; and (i) assist the other party (at its own cost) in responding to any request from a Data Subject and ~~may not combine~~ in ensuring its compliance with all applicable requirements and obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or ~~results~~ the UK’s Information Authority’s Office. 20.7 Each party shall notify the other party without undue delay on becoming aware of ~~the Project with other data which may result in identification of a donor~~any Personal Data Breach under this Agreement.

Appears in 1 contract

Sources: Service Agreement

Data Protection. ‌ 21.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 21 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 21.2 The parties acknowledge that if ABP Consultancy processes any personal data ~~may be transferred~~ on the Client's behalf when performing its obligations under this ~~agreement~~ Agreement, the Client is the controller and ABP Consultancy is the processor for the purposes of the Data Protection Legislation. 21.3 Without prejudice to the generality of clause 21.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to ABP Consultancy for the duration and purposes of this Agreement so that ABP Consultancy may lawfully use, process and transfer the personal data in accordance with this Agreement on the Client's behalf. 21.4 Without prejudice to the generality of clause 21.1ABP Consultancy shall, in relation to any personal data processed in connection with the performance by ABP Consultancy of its obligations under this Agreement: 21.4.1 process that personal data only on the documented written instructions of the Client unless ABP Consultancy is required by the laws of any member of the European Union or by the Local Data Protection Legislation and any other law to which ABP Consultancy is subject in relation to the processing of personal data for the purposes of this Agreement (~~“Personal Data”~~Applicable Laws). Where ABP Consultancy is relying on Applicable Laws as the basis for processing personal data, ABP Consultancy shall ABP Consultancy: Master Services Agreement. promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit ABP Consultancy from so notifying the Client; 21.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 21.4.3 not transfer any personal data outside of the Permitted Data Area unless the following conditions are fulfilled: (a) the Client or ABP Consultancy has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and ~~each party will fully comply~~ effective legal remedies; (c) ABP Consultancy complies with its ~~respective~~ obligations under the ~~General~~ Local Data Protection ~~Regulation~~ Legislation including where so required by providing an adequate level of protection to any personal data that is transferred; and (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their~~ d) ABP Consultancy complies with reasonable instructions notified to it in advance by the Client with respect to the processing ~~operations performed with such Personal Data. Taking into account the state~~ of the ~~art~~personal data; 21.4.4 assist the Client, at the ~~costs of implementation and the nature~~Client's cost, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in ~~such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees~~ responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to ~~exercise~~ security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 21.4.5 notify the Client without undue delay and in any event within 2 Business Days on becoming aware of a personal data breach; 21.4.6 at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the personal data; ABP Consultancy: Master Services Agreement. 21.4.7 maintain complete and accurate records and information to demonstrate its ~~rights under Privacy Laws~~ compliance with this clause 23 and allow for audits by the Client or the Client's designated auditor and immediately inform the Client if, in the opinion of ABP Consultancy, an instruction infringes the Data Protection Legislation; and 21.4.8 indemnify the Client against any loss or damage suffered by the Client in relation to ~~Personal Data (including~~ any breach by ABP Consultancy of its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under ~~Privacy Laws. Upon Provider~~this clause 23. 21.5 The Client does not consent to ABP Consultancy appointing any third-party processor of personal data under this Agreement without the Client’s ~~request~~prior written consent. 21.6 Either party may, ~~Recipient~~ at any time on not less than 30 days' notice, revise this clause 21 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall ~~restrict~~ apply when replaced by attachment to this Agreement). 21.7 Without prejudice to the ~~processing~~ generality of ~~Personal Data identified by Provider. Recipient shall not transfer~~ clause 21.1ABP Consultancy shall 21.7.1 take reasonable precautions to preserve the integrity of any ~~Personal Data~~ data which it processes and to prevent any corruption or loss of such data; 21.7.2 make a ~~territory outside~~ backup copy of such data every week and record the copy on media from which the data can be reloaded if there is any corruption or loss of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Appears in 1 contract

Sources: Master Services Agreement

Data Protection. Where on the basis of this Agreement and in accordance with the national laws of both Contracting Parties, personal data is transferred, the following provisions shall be applied: (a) For the purpose of implementing this Agreement, only personal data necessary for providing benefits or otherwise necessary for the purposes specified in Article 23.1 of this Agreement may be disclosed by one Contracting Party to the Competent Institution of the other Contracting Party. The ~~parties acknowledge that personal~~ receiving Contracting Party may process and use this data for such purposes. In all other cases, data may be ~~transferred under this agreement~~ disclosed to other institutions exclusively with the prior consent of the transmitting Competent Institution and in accordance with the national laws applicable to such institutions. (~~“Personal Data”~~b) The Competent Institution receiving such data shall, upon request and ~~each party will fully comply with its respective obligations~~ in individual cases, inform the Competent Institution providing the data of the purpose for which it has used the data disclosed and the results of such use. (c) The Competent Institution providing data must ensure that the data to be disclosed is accurate, and is necessary and proportional from the point of view of the purpose of data disclosure. At the same time, all valid data provision prohibitions must be taken into consideration, pursuant to the national legislation of that Contracting Party. If it becomes evident that the data disclosed is incorrect, or data has been supplied that may not have been disclosed under the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~legislation of the Contracting Party providing the data, the receiving Competent Institution shall be notified without delay. The ~~parties are independent controllers of their processing operations performed with~~ receiving Competent Institution shall correct or delete such ~~Personal Data. Taking into account the state of the art~~data, ~~the costs of implementation and the nature, scope, context and purposes of processing~~ as appropriate. (d) The Competent Institution as well as the ~~risk~~ Competent Authority shall inform the person concerned upon their request, on the data about him and the purpose of ~~varying likelihood~~ using such data, on the legal basis for and ~~severity~~ the duration of the use of the data, and on who and for what purpose has received or shall receive such data. In other respects, the rights of the person concerned with regard to being informed of data held about him/her shall be subject to the national legislation of the Contracting Party whose Competent Institution or Competent Authority was requested to provide the information. (e) If a Competent Institution of one Contracting Party has disclosed personal data under this Agreement, the receiving Competent Institution of the other Contracting Party, within its responsibility under the domestic legislation applicable to it, may not argue against the person concerned that the data provided was incorrect. Payment of compensation for damages due to incorrect provisioning of data shall be governed by the laws of the Contracting Party which provided incorrect information. (f) Personal data received shall be deleted without delay when it is no longer required for the ~~rights~~ purpose of disclosure. (g) The transmission and ~~freedoms~~ receipt of personal data ~~subjects~~shall be recorded both by the transmitting and by the receiving Competent Institutions. (h) Both the transmitting and the receiving Competent Institutions shall ensure the effective protection of personal data from unauthorized access, ~~Recipient will maintain appropriate technical~~ illegal alterations and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives disclosure. (i) ~~any~~ On the request ~~from a~~ of the person concerned, both the receiving and the transmitting Competent Institutions shall correct the incorrect data handled by it or delete data handled illegally. The other Competent Institution shall be immediately informed of such correction or deletion. (j) The Contracting Parties shall ensure that, in case of the infringement of the rights related to their personal data protection, the persons concerned may seek remedy under the laws of the Contracting Party which infringed the person’s rights. (k) Data processed under this Agreement shall be subject to ~~exercise any of its rights under Privacy Laws in relation~~ independent oversight according to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside national law of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorContracting Parties.

Appears in 1 contract

Sources: Agreement on Social Security

Data Protection. B36.1 Each Party shall comply with their respective duties under the Data Protection Legislation and any successor legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. B36.1 The ~~parties acknowledge~~ Parties agree that ~~personal data may be transferred~~ in relation to: B36.1.1 Personal Data processed by the Provider in providing Services under this ~~agreement~~ Agreement (“for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and B36.1.2 Personal Data, the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management the Authority and the Provider will be independent Data Controllers; together the “Agreed Purpose”~~) and each party will fully comply with its respective obligations~~ . B36.2 Where the Authority requires information under clause B36.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data ~~will~~ must be shared in order to meet the requirements of the ~~Privacy Laws. Recipient agrees to notify~~ Authority, the Provider ~~within a period~~ shall provide such information in pseudonymised form where possible. B36.3 Appendix M sets out the categories of ~~48 hours where Recipient becomes aware~~ Data Subjects, types of ~~or reasonably suspects that~~ Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Processing operations (~~a “Security Incident”~~including scope, nature and purpose of Processing) and ~~to take reasonable steps to mitigate~~ the ~~impact~~ duration of ~~any such Security Incident. In~~ Processing. B36.4 Each Party shall comply with all the ~~event that Recipient receives (i) any request from~~ obligations imposed on a ~~data subject to exercise any of its rights~~ Data Controller under ~~Privacy~~ the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. B36.5 Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (~~including its rights~~ 14) days of ~~access~~written notice from the other Party, ~~correction~~gives grounds to the other Party to terminate this Agreement with immediate effect. B36.6 In relation to the Processing of any Personal Data, ~~objection~~ each Party shall: B36.6.1 ensure that it has all necessary notices and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ consents in ~~connection with the processing~~ place to enable lawful sharing of Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ to the ~~parties shall cooperate in good faith as necessary~~ Permitted Recipients for the Agreed Purpose; B36.6.2 give full information to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of~~ any Data Subject whose Personal Data ~~identified by Provider. Recipient shall~~ may be processed under this Agreement of the nature of such Processing; B36.6.3 process the Personal Data only for the Agreed Purpose; B36.6.4 not ~~transfer any~~ disclose or allow access to the Personal Data to ~~a territory outside of~~ anyone other than the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Permitted Recipients;

Appears in 1 contract

Sources: Contract for the Provision of Public Health Services

Data Protection. 3.1 As and from the Effective Date, the Contract shall be amended and supplemented by Clauses 3.2 to 3.11 below. To the extent relevant, applicable and/or necessary, this Agreement shall be deemed a data protection addendum between the Parties. 3.2 The ~~parties acknowledge~~ Merchant authorises the Carrier to process Personal Data provided to the Carrier or which is made available to it for the purposes of providing Services to the Merchant pursuant to the Contract and for any other purposes set out in Schedule 2. 3.3 The Merchant shall be the “Data Controller” and the Carrier shall be a “Data Processor” for the purposes of the Regulation and/or the Applicable Data Protection Law. The Data Subjects, Categories of Personal Data, Processing Operations and Duration of Processing relevant to the provision of the Services are defined in Schedule 2. 3.4 The Merchant represents and warrants that ~~personal data~~ it complies with the Regulation and any Applicable Data Protection Laws regarding the collection, use and all other security measures of the Personal Data, in particular: (a) all of the Personal Data that the Merchant provides or makes available to the Carrier has been lawfully and validly obtained or processed by the Merchant, and can be lawfully disclosed to the Carrier for the provision of Services and any other agreed purposes. The Processing of such Personal Data will be relevant, fair, lawful and proportionate to the respective uses of the Merchant; (b) all Data Subjects have been informed of the Carrier’s Processing of their Personal Data for the agreed purposes and the Merchant can demonstrate a lawful basis for such Processing; and (c) the Merchant has established a procedure for the exercise of the rights of individuals whose Personal Data are collected and are in its custody or under its control. 3.5 The Merchant agrees that the Carrier is permitted to, and instructs the Carrier to: (a) Process all Personal Data that the Carrier collects from, or relating to, the Merchant in order to provide the Services under the Contract, including but not limited to transferring Personal Data to competent bodies, courts or regulatory authorities in order to provide the Services, comply with Applicable Data Protection Laws or comply with requests from such bodies, courts or authorities; (b) disclose or transfer the Personal Data to its Affiliates, and any of its employees, agents, delegates, Sub-Processors, or competent authorities (including customs and tax authorities) and bodies in order to provide the Services or services ancillary thereto; (c) Process the Personal Data to carry out actions or investigations that the Carrier considers appropriate to meet its obligations arising from applicable laws relating to fraud prevention, sanction, money laundering, terrorist, bribery, corruption, and the provision of other services to persons who may be ~~transferred under this agreement~~ subject to economic or trade sanctions (~~“Personal Data”~~including disclosure to Sub- Processors); (d) ~~and each party will fully~~ report regulatory related information to competent bodies or authorities in order to comply with its ~~respective obligations~~ legal and regulatory obligations; (e) retain the Personal Data for so long as it is required to provide the Services or perform investigations in relation to such, or otherwise required by Applicable Data Protection Law and/or justified under the ~~General~~ relevant English or other statutory limitation periods (as applicable), whichever is the later; and (f) Process, retrieve or track the Personal Data for the purpose of updating the Merchant’s records for fees and billing, improving service, servicing the client relationship, developing, operating, maintaining and improving Carrier’s services, products, websites, software and/or other business tools, conducting system testing, troubleshooting and to advise the Merchant of other products and services offered by the Carrier and/or its Affiliates. 3.6 Unless otherwise prevented by Applicable Data Protection ~~Regulation~~ Laws, the Carrier agrees that it will (~~EU)2016/679~~ a) Process the Personal Data only on behalf of the Merchant and in compliance with the written instructions of the Merchant and this Agreement. If it is required by any applicable ~~complementing national~~ laws ~~(jointly “Privacy Laws”). The parties are independent controllers~~ to process or disclose Personal Data for purposes other than those agreed, it shall promptly inform the Merchant of ~~their~~ that legal requirement before processing ~~operations performed with such~~ the Personal Data~~. Taking into account~~ ; (b) as soon as practicable inform the ~~state of~~ Merchant if in the ~~art~~Carrier’s opinion, and without any obligation to perform any legal assessment, an instruction given to it breaches the ~~costs of implementation and the nature~~Regulation, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Applicable Data Protection Law and/or any applicable laws; (c) take appropriate technical and ~~organizational~~ organisational measures ~~in such a manner~~ against unauthorised or unlawful processing, accidental loss or destruction of, or damage to, the Personal Data, and ensure that ~~processing of~~ all persons who have access to process Personal Data ~~will meet~~ have committed themselves to appropriate obligations of confidentiality; (d) provide reasonable assistance to the ~~requirements~~ Merchant to enable it to comply with (i) the rights of Data Subjects; (ii) the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ security requirements; and (iii) any privacy assessment procedure or consultation, as required under the Regulation and/or Applicable Data Protection Law; (e) inform the Merchant without delay of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request for the disclosure of the Personal Data by a law enforcement authority; (ii) any incident which gives rise to a risk of unauthorised access, disclosure, loss, destruction, misuse or alternation of Personal Data; (iii) any notice, inquiry or investigation by a Supervisory Authority; and (iv) any complaint or request (in particular, requests for access to, rectification or blocking, erasure and destruction of Personal Data) received directly from the Data Subjects; (f) notify the Merchant as soon as it becomes aware of a ~~data subject~~ Reportable Breach and will provide the Merchant with reasonable assistance in responding to ~~exercise~~ and mitigating it. Where the Reportable Breach is connected to the Carrier’s Processing of the Personal Data, the Merchant shall provide the Carrier with a copy of the intended notification (if any) to be made by the Merchant to the affected Data Subjects and/or Supervisory Authority for the Carrier’s prior written approval; and (g) upon termination of the Contract, the Personal Data shall, at the Merchant’s option, be destroyed or returned to the Merchant. 3.7 The Merchant acknowledges and agrees that the Carrier shall be permitted to perform any or all of its ~~rights under Privacy Laws in relation to~~ Personal Data processing obligations through its Affiliates, subcontractors, or continue to use sub-contractors engaged by the Carrier, provided that (~~including~~ i) the Carrier shall remain liable to the Merchant for such performance of its ~~rights of access, correction, objection and erasure)~~Personal Data processing obligations by any Affiliate or subcontractor; and (ii) ~~any other correspondence, inquiry~~ all Affiliates or ~~complaint received from a data subject, regulator~~ subcontractors engaged by the Carrier shall be bound by the terms of an agreement which contain the same or ~~other third party in connection~~ equivalent obligations with ~~the processing of~~ respect to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing ~~of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures~~ as are ~~necessary to ensure~~ imposed on the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCarrier under this Agreement.

Appears in 1 contract

Sources: Data Processing Agreement

Data Protection. 16.1 The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. 16.2 Where the Provider is Processing Personal Data under or in connection with this Framework Agreement, the Provider must, in particular, but without limitation: 16.2.1 only Process such Personal Data as is necessary to perform its obligations under this ~~agreement (“~~Framework Agreement, and only in accordance with any instructions given by the Authority under this Framework Agreement; 16.2.2 put in place appropriate technical and organisational measures against any unauthorised or unlawful Processing of that Personal Data”) , and ~~each party will fully comply with its respective obligations under~~ against the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ accidental loss or destruction of ~~their processing operations performed with~~ or damage to such Personal Data~~. Taking into account~~ , the state of ~~the art, the costs of implementation~~ technical development and the ~~nature, scope, context and purposes~~ level of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such~~ harm that may be suffered by a ~~manner that processing of~~ Data Subject whose Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of~~ is affected by unauthorised or ~~reasonably suspects that Personal Data has been~~ unlawful Processing or ~~may have been lost~~by its loss, ~~damaged~~ damage or ~~subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to~~ destruction; 16.2.3 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of Staff who will have access to Personal Data, and ensure that those Staff are aware of and trained in any relevant policies and procedures. 16.3 The Provider and the Authority shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). 16.4 Where any Personal Data is Processed by any subcontractor of the Supplier in connection with this Framework Agreement, the Provider shall procure that such ~~Security Incident. In~~ subcontractor shall comply with the ~~event that Recipient receives~~ relevant obligations set out in Clause 16 of this Framework Agreement, as if such subcontractor were the Provider. 16.5 The Provider shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (~~i) any request~~ including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from ~~a data subject to exercise any of its rights under Privacy Laws in relation~~ the Provider’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Framework Agreement.

Appears in 1 contract

Sources: Framework Agreement

Data Protection. 13.1 Nothing in this Clause 13 is intended to amend or replace a party’s obligations under Data Protection Laws and each party agrees that it shall not act in such a way so as to cause the other to breach such obligations. 13.2 The Customer warrants and represents to the Provider any Personal Data included within Customer Data has been lawfully collected, processed and transferred to the Provider under Data Protection Laws. 13.3 The parties acknowledge that in providing the Services the Provider will act as a Processor on behalf of the Customer. Annex 1 (Data Processing Information) to this Agreement sets out the subject-matter and duration of Processing, the nature and purpose Processing, the types of personal data ~~may be transferred under this agreement~~ Processed and the categories of affected data subject. 13.4 To the extent that that the Provider Processes Personal Data on behalf of the Customer during the course of providing the Services pursuant to the Agreement, then the Provider agrees that with respect to such data it shall: (“a) Process all Personal ~~Data”) and each party will fully comply~~ Data supplied or provided by the Customer or collected or otherwise obtained on the Customer’s behalf only on documented instructions from the Customer, including with ~~its respective obligations under the General~~ regard to transfers of Personal Data ~~Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~to a third country. The ~~parties~~ Customer’s initial instructions are ~~independent controllers~~ as detailed in the Agreement and subsequently as amended in writing from time to time; (b) inform the Customer if in its reasonable opinion any Customer instruction infringes Data Privacy Laws and refrain from Processing in the absence of ~~their processing operations performed with~~ documented instructions, unless Processing is required under applicable law or regulation to which the Provider is subject in which case the Provider shall to the maximum extent permitted and within a reasonable amount of time inform the Customer of that legal requirement before Processing; (c) take all such ~~Personal Data. Taking into account~~ steps necessary to ensure that any persons authorized to process the ~~state~~ personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain confidentiality; (d) implement appropriate technical and organizational measures to protect Personal Data; (e) only use those Sub-Processors as are authorized in advance by the Customer and notify the Customer in advance of any intended changes concerning the addition or replacement of approved Sub-Processor(s), thereby allowing the Customer a reasonable opportunity to object to such changes. Where the Customer does not respond to the notice within 5 Business Days of receipt then the Customer shall be deemed to agree to the proposed change, but in any case where the Customer does so object then then the parties agree to negotiate in good faith in nominating a ~~manner~~ suitable replacement; (f) when instructing a third party Sub-Processor, enter into an agreement with that ~~processing~~ Sub-Processor which includes substantially the same data protection obligations as are included within the terms of this Agreement. The Company may transfer Personal Data ~~will meet~~ outside the ~~requirements~~ UK or the EEA to Sub- Processors, but only for as long as the Company puts in place appropriate safeguards to protect the Personal Data as may be required by Data Protection Laws from time to time; (g) taking into account the nature of the ~~Privacy~~ Processing and at the sole cost of the Customer, assist and provide support to the Customer by appropriate technical and organisational measures, insofar as this is possible, to enable the Customer to comply with its obligations to respond to statutory data subject requests submitted to the Customer under Data Protection Laws~~. Recipient agrees~~ ; (h) taking into account the nature of the Processing and the information available, at the sole cost of the Customer provide such reasonable commercial assistance to ~~notify Provider within a period~~ the Customer as is necessary to enable it to comply with its obligations relating to the security of ~~48 hours where Recipient becomes~~ Processing, data breach notifications, data protection impact assessments and prior consultations with supervisory authorities; (i) upon termination of Services under this Agreement and at the election of the Customer, either promptly return all Personal Data to the Customer and delete any copies, or permanently erase such data, unless required by applicable law of regulation to retain it; (j) upon becoming aware of any accidental, unauthorised or ~~reasonably suspects that~~ unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data being Processed by or on behalf of the Customer in the course of providing the Services, promptly (and in any event within 72 hours) notify the Customer of the breach and, where possible, provide sufficient details of the breach to enable the Customer to comply with applicable reporting obligations pursuant to Clause (h); (k) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Clause 13.4, including in allowing for and contributing to audits and/or inspections conducted by the Customer or a third party mandated on its behalf, provided that the Customer's right of audit shall be satisfied by; (i) the Provider providing to the Customer an audit report that has been ~~or may have been lost, damaged or subject~~ produced by a registered and independent external third party auditor within no more than 18 months before the time that an audit request is initiated by the Customer pursuant to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”~~this Clause 13.4(k) and that adequately demonstrates the sufficiency of the Provider’s data security controls in line with industry practices; or (ii) where the Provider is unable to ~~take~~ provide the information described in Clause 13.4(k), allowing the Customer or a nominated third party reasonable access to the Provider’s facilities and data security practices, at a frequency no greater than once per 12 month rolling period and provided in each case that the Customer shall (i) arrange in advance a mutually agreed upon time, place and scope for conducting the audit which shall be during normal business hours; (ii) limit the audit to systems and material relevant to the Services, taking any steps necessary to ~~mitigate~~ minimize the impact of the audit on the Provider’s usual course of business operations; (iii) ensure that any ~~such Security Incident. In~~ third party mandated to participate in the ~~event that Recipient receives~~ audit owes existing contractual obligations of confidentiality to the Customer; (iiv) immediately notify the Provider upon discovering any ~~request from a data subject to exercise any~~ instance of ~~its rights under Privacy Laws in relation to Personal~~ non- compliance with Data ~~(including its rights of access, correction, objection and erasure)~~Protection Laws; and (iiv) ~~any other correspondence~~reimburse the Provider at reasonable professional rates, ~~inquiry or complaint received from a data subject, regulator or other third party in connection with~~ as determined by the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform~~ Provider and made available in advance upon request. 13.5 The Customer grants the ~~parties shall cooperate in good faith as necessary~~ Provider a general authorization to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures use those Sub- Processors as are ~~necessary~~ included in its privacy notice on the Web Site. For the avoidance of doubt, the Provider shall remain fully liable to ~~ensure~~ the ~~transfer is in compliance with~~ Customer for the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make acts and omissions of any ~~effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~appointed Sub-Processors.

Appears in 1 contract

Sources: Terms of Use Agreement

Data Protection. 9.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 9 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 9.2 The parties acknowledge that in performing their respective obligations hereunder they shall be sharing Personal Data between themselves as Data Controllers, and also there may be circumstances where one party may act as the Data Processor of the other. The Parties also acknowledge that MCL Medics shall not share with the Client any Personal Data that MCL Medics may acquire as a result of the use of an Application by any employee of MCL Medics. 9.3 The Parties agree to only process Shared Personal Data for the Agreed Purpose, and shall not process Shared Personal Data in a way that is incompatible with the Agreed Purpose. 9.4 The Data Discloser shall ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Data Receiver for the Agreed Purposes. 9.5 The Data Discloser shall, in respect of Shared Personal Data, ensure that their privacy notices comply with the Data Protection Legislation, and without prejudice to the generality of the foregoing, are clear and provide sufficient information to the Data Subjects for them to understand which specific personal data the Data Discloser is sharing with the Data Receiver, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Data Receiver or a description of the type of organisation that will receive the personal data, together with, if applicable, giving notice that, on the termination of the Agreement, Personal Data relating to them may be ~~transferred under this agreement (“Personal Data”)~~ retained by the Data Receiver, its successors and ~~each party will fully comply with its respective obligations~~ assignees. 9.6 Where required under the ~~General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Legislation, the ~~state~~ Data Receiver undertakes to inform the Data Subjects of the ~~art,~~ purposes for which it will process their Personal Data and provide all of the ~~costs of implementation and~~ information that it must provide to ensure that the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Data Subjects understand how their Personal Data will ~~meet~~ be processed by the ~~requirements of~~ Data Receiver. 9.7 Neither Party shall be required to share any personal Data with the ~~Privacy Laws. Recipient agrees to notify Provider within~~ other Party where the Data Subject has expressed a ~~period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ wish for such Personal Data ~~has been or may have been lost, damaged or subject~~ not to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event~~ be shared. 9.8 The Data Discloser shall ensure that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer before disclosing any Personal Data to ~~a territory outside~~ the Data Receiver that it is accurate. 9.9 Shared Personal Data must be limited to the Personal Data described in Annexure A. The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes. 9.10 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes, which shall be no longer than the retention period specified in Annexure A. 9.11 Notwithstanding clause 9.10, the Parties shall be entitled to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry provided that such retention periods are notified to the Data Discloser. 9.12 The Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser or destroyed in accordance with the Data Discloser's reasonable requirements in the following circumstances: 9.12.1 on termination of the ~~European Economic Area ("~~Agreement; and 9.12.2 once processing of the Shared Personal Data is no longer necessary for the Agreed Purposes. 9.13 Following deletion of the Shared Personal Data in accordance with clause 9.12, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted. 9.14 For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by the Data Receiver with a third party, and shall include, but is not limited to, the following: 9.14.1 storing Shared Personal Data on servers outside the EEA~~") unless~~ ; 9.14.1.1 sub-contracting the processing of Shared Personal Data to data processors located outside the EEA; and 9.14.1.2 granting third parties located outside the EEA access rights to the Shared Personal Data. 9.14.2 The Data Receiver shall not disclose or transfer the Shared Personal Data to a third party data controller located outside the EEA unless: 9.14.2.1 such international transfer is stated as permitted in Annexure A, or it has ~~taken such measures as are necessary to ensure~~ the express written consent of the Data Discloser; and 9.14.2.2 it complies with the provisions of Article 26 of GDPR (in the event the third party is a joint controller); and 9.14.2.3 it ensures that: (A) the transfer is ~~in compliance with the Privacy Laws. Such measures may include transferring the Data~~ to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European ~~Commission. Recipient will not make any effort~~ Commission as providing adequate protection pursuant to ~~identify individuals who~~ Article 45 of GDPR; (B) there are appropriate safeguards in place pursuant to Article 46 of G DPR; or ~~may be the donors~~ (C) one of the ~~Original Material and may not combine~~ derogations for specific situations in Article 49 of GDPR applies to the transfer. 9.15 The Data ~~or results~~ Receiver shall ensure that all Permitted Recipients who have access to and/or process the Shared Personal Data are obliged to keep the Shared Personal Data confidential. 9.16 Where the Data Receiver is acting as a data processor on behalf of the ~~Project~~ Data Discloser, then without prejudice to the generality of clause 9.1, the Data Receiver shall: 9.16.1 process that Shared Personal Data only on the written instructions of the Data Discloser; 9.16.2 at the written direction of the Data Discloser, delete or return the Shared Personal Data and copies thereof to the Data Discloser on termination of the Agreement unless required by any applicable law to store the Shared Personal Data; and 9.16.3 maintain complete and accurate records and information to demonstrate its compliance with ~~other data which may~~ the Agreement and allow for audits by the Data Discloser or the Data Discloser's designated auditor upon reasonable notice and during normal business hours of the Data Receiver. 9.17 Having regard to the state of technological development and the cost of implementing such measures, the Parties have in place appropriate technical and organisational security measures including as a minimum any requirements set out in Schedule 1 in order to: 9.17.1 prevent: (A) unauthorised or unlawful processing of the Shared Personal Data; and (B) the accidental loss or destruction of, or damage to, the Shared Personal Data; 9.17.2 ensure a level of security appropriate to: (A) the harm that might result ~~in identification of a donor.~~from such unauthorised or unlawful processing or accidental loss, destruction or damage; and

Appears in 1 contract

Sources: General Terms and Conditions

Data Protection. The ~~parties~~ Parties acknowledge ~~that personal data may be transferred~~ their respective duties under ~~this agreement (“Personal Data”)~~ Data Protection Legislation and shall give each ~~party will fully~~ other all reasonable assistance as appropriate or necessary to enable each other to comply with ~~its respective obligations under~~ those duties. For the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ avoidance of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~doubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to ~~mitigate~~ ensure it is familiar with the ~~impact~~ Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection Toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any ~~such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws~~ telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data ~~(including its rights~~ is Processed by any Sub-contractor of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ the Supplier in connection with this Contract, the ~~processing~~ Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Appears in 1 contract

Sources: NHS Terms and Conditions for the Supply of Goods and the Provision of Services

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement~~ Where SurveyMonkey is processing Personal Data for Customer, SurveyMonkey will: (~~“Personal Data”~~a) only do so on documented Customer instructions and ~~each party will fully comply~~ in accordance with ~~its respective obligations under the General Data Protection Regulation (EU)2016/679 and~~ applicable ~~complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ law, including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data ~~will meet~~ to other jurisdictions or an international organization, and the ~~requirements~~ parties agree that these Terms of Use constitute such documented instructions of the ~~Privacy Laws. Recipient agrees~~ Customer to ~~notify Provider within a period~~ SurveyMonkey to process Customer Data; (b) to the extent applicable, for data transfers SurveyMonkey Europe UC relies upon the Standard Contractual Clauses and/or consent for personal data transfers to countries that do not have adequate levels of ~~48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost~~data protection as determined by the European Commission, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator United Kingdom or other ~~third party in connection~~ jurisdictions which approve and require Standard Contractual Clauses; (c) with ~~the processing~~ respect to any transfers of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside out of the European Economic Area ("EEA"), the United Kingdom or other country requiring Standard Contractual Clauses, that may be required in relation to or in connection with the Terms of Use and the provision of the Services hereunder, the parties shall comply with and be subject to all obligations imposed on a ‘data importer’ or 'data exporter' (as appropriate) ~~unless it has taken such measures~~ as set out under the Standard Contractual Clauses; (d) ensure that all SurveyMonkey personnel involved in the processing of Personal Data are subject to confidentiality obligations in respect of the Personal Data; (e) make available information necessary for Customer to ~~ensure the transfer is in~~ demonstrate compliance with its Article 28 obligations (if applicable to the ~~Privacy Laws~~Customer) where such information is held by SurveyMonkey and is not otherwise available to Customer through its account and user areas or on SurveyMonkey websites, provided that Customer provides SurveyMonkey with at least 14 days' written notice of such an information request; (f) cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject afforded to Data Subjects by Data Protection Legislation in respect of Personal Data processed by SurveyMonkey in providing the Services; (g) provide assistance, where necessary with all requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services; (h) upon deletion, by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; (i) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; (j) not store Personal Data (in a format that permits identification of relevant Data Subjects) for longer than is necessary for the purposes for which the data is processed save to the extent such retention is required for legitimate business purposes (with respect to, for example, security and billing), in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes; (k) where required by Data Protection Legislation, inform Customer if it comes to SurveyMonkey’s attention that any instructions received from Customer infringe the provisions of Data Protection Legislation, provided that notwithstanding the foregoing, SurveyMonkey shall have no obligation to review the lawfulness of any instruction received from the Customer. ~~Such measures~~ If this provision is invoked, SurveyMonkey will not be liable to Customer under the Terms of Use for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing; and (l) assist Customer as reasonably required where Customer (i) conducts a data protection impact assessment involving the Services (which may include ~~transferring the Data~~ by provision of documentation to allow customer to conduct their own assessment); or (ii) is required to notify a Security Incident (as defined below) to a ~~country that the European Commission has decided provides adequate protection for personal data; to~~ supervisory authority or a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other relevant data ~~which may result in identification of a donor~~subject.

Appears in 1 contract

Sources: End User Terms of Use

Data Protection. a) The ~~parties acknowledge that personal data may be transferred under this agreement (“~~Supplier shall maintain the Personal ~~Data”~~Information in strict confidence and shall not disclose the Personal Information to any third party. The Supplier is only permitted to process the Personal Information on behalf of the Customer for the specified purpose(s) and ~~each party will fully comply with its respective obligations under~~ shall not use the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ Personal Information except for the purposes of ~~their processing operations performed with such Personal Data. Taking into account~~ this Agreement. b) For the ~~state~~ avoidance of ~~the art~~doubt, the ~~costs of implementation and~~ Supplier will not use the ~~nature~~Personal Information for any marketing purposes nor make any attempt to contact the Customer’s clients, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access its staff or any other ~~unlawful processing (~~identifiable individual to whom the Personal Information relates. c) The Personal Information shall belong to the Customer and the Supplier shall therefore obtain no rights of any nature in the Personal Information. d) The Supplier acknowledges that data subject(s) will have the right at any time to request a ~~“Security Incident”)~~ copy of the Personal Information held by the Supplier and to have that Personal Information corrected if it is inaccurate. The Supplier warrants that the Personal Information provided pursuant to such requests shall be in an easily understandable format. e) The Supplier guarantees that it will remain strict security over the Personal Information and will preserve the integrity and confidentiality of the Personal Informational at all times. f) The Supplier confirms that adequate security measures and precautions are in place to protect the Personal Informational at all times in accordance with current UK data protection legislation and any relevant European Union data protection regulations or directives from time to time. g) The Supplier undertakes to comply with the provisions of the Data Protection Act 1998 (or any subsequent re-‐enactment or replacement data protection legislation) in respect of all Personal Information that will be passed on to them or processed by them during the course of this Agreement. h) The Supplier shall allow the Customer access to the Personal Information in its possession for the purpose of inspection of the files records documentation input and output materials and the media and storage facilities where they are located, all standby contingency and data back up/recovery facilities and files and all computer telephone and facsimile systems related to the foregoing provided that the Customer’s employees or agents agree to observe the confidentiality and security procedures implemented by the Supplier. i) The supplier will be responsible for maintaining visible audit trails to assist the Customer in checking unauthorized access attempts in respect of the Personal Information j) The Supplier shall not disclose or sub-‐contract the processing of the Personal Information without obtaining the express written permission of the Customer. k) The Supplier shall only employ such persons to receive and use the Personal Information who have been satisfactorily vetted for reliability, integrity and honesty. l) The Supplier shall disclose the Personal Information on a need-‐to-‐know basis only to those of its employees, agents, sub-‐contractors and consultants who have received proper training in the handling of Personal Information and who require access for the purposes described herein. Prior to disclosing the Personal Information or any portion thereof to such employees, agents, sub-‐contractors and consultants, the Supplier shall issue proper instructions requiring them to comply with the Supplier’s obligations herein to receive and treat the Personal Information as confidential and subject to non-‐disclosure on the same conditions as contained herein. m) The Supplier shall take ~~reasonable steps~~ immediate disciplinary action against any of its employees, agents, sun-‐ contractors and consultants who have failed to ~~mitigate~~ adhere to or ignore the ~~impact~~ procedures and restrictions in respect of the Personal Information set out herein. n) The personal Information shall not be mechanically copied or otherwise reproduced by the Supplier and shall not be altered or supplemented with other data without the express written consent of the Customer. o) The Supplier shall immediately advise the Customer of any suspected or actual breaches in respect of the Personal Information sent by the Customer. p) The Supplier shall, upon the request of the Customer, return the Personal Information and any copies thereof under the Supplier’s control or power. The Supplier shall destroy or dispose of the Personal Information only with the express written consent of the Customer. Such destruction or disposal shall be carried out in accordance with the Customer’s instructions and applicable statutory requirements regarding waste disposal. q) Without prejudicing the foregoing, the Personal Information shall at all times be given such ~~Security Incident~~protection by the Supplier as is given to its own confidential information. r) The Supplier warrants that it shall cease to process the Personal Information immediately if directed by the Customer or by a Court of Law. s) The Supplier warrants that it shall promptly amend or delete any Personal Information if directed to do so by the Customer of a Court of Law. t) This Agreement is binding upon the Supplier and its associated companies and associates. ~~In the event that Recipient receives (i) any request from a data subject to exercise~~ The Supplier shall neither assign any of its rights ~~under Privacy Laws in relation~~ and obligations to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii)~~ any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party nor transfer any of the Personal Information to any third party. u) The Supplier acknowledges that the Customer could be irreparably injured by a breach of this Agreement by the Supplier and shall be entitled to any remedies available at law. v) When handling any Personal Information, which is stored on Media, the Supplier shall ensure that it is transmitted or transported via a secure delivery method to minimize unauthorized interception and disclosure. w) All Media in ~~connection with~~ electronic form must be virus checked by the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ Customer and the ~~parties shall cooperate in good faith as necessary~~ Supplier will endeavour to ~~respond~~ ensure that no computer virus is introduced to ~~such Correspondence and fulfill their respective obligations under Privacy Laws~~the Customer’s computer equipment or systems by an act. ~~Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ Omission or negligence of the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is~~ Supplier, its employees, agents or sub-‐contractors in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors respect of the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~Personal Information.

Appears in 1 contract

Sources: Data Protection Agreement

Data Protection. ~~The parties~~ 16.1 Notwithstanding the remainder of this clause 16, each Party shall comply with all applicable obligations imposed by, and all requirements under, the Data Protection Laws. 16.2 Without prejudice to the generality of clause 1, where either Party (the "Disclosing Party") or its employee or representative discloses Personal Data to the other (the "Recipient") in connection with the operation of this Contract, the Disclosing Party will ensure that it obtains all necessary consents from the Data Subject, or alternatively that it only discloses the Personal Data on the basis of some other valid ground provided for in the Data Protection Laws, such that the Personal Data it provides to the Recipient can be lawfully used or disclosed by the Recipient in the manner and for the purposes anticipated by this Contract. 16.3 Although the Parties acknowledge that ~~personal data may~~ the Data Protection Laws ultimately determine status, the Parties are of the view that they shall each be ~~transferred under~~ controllers (as defined in the Data Protection Laws) in respect of Shared Personal Data that they receive pursuant to this ~~agreement (“Personal Data”) and each party will fully comply with its respective~~ Contract. 16.4 Without prejudice to the Disclosing Party's obligations under clauses 16.2 and 16.5, the ~~General~~ Parties shall ensure that they process and share the Shared Personal Data fairly and lawfully in accordance with the Data Protection ~~Regulation~~ Laws. Each Party shall only use Shared Personal Data for the purposes of performing its obligations, and exercising its rights, under the Contract. 16.5 The Disclosing Party shall ensure that fair processing notices are provided to the Data Subjects in accordance with the Data Protection Laws, including that they are clear and provide sufficient information to the Data Subjects for them to understand what Personal Data the Disclosing Party is sharing with the Recipient, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Recipient or a description of the types of organisation (~~EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such~~ that includes the Recipient) that will receive the Personal Data. ~~Taking into account~~ The information provided by the ~~state~~ Disclosing Party to Data Subjects shall be detailed enough that the Data Protection Laws are complied with and so that the Recipient need not provide any information to the Data Subject in order to comply with the Data Protection Laws (including Article 14 of GDPR). 16.6 Each Party is responsible for maintaining a record of individual requests for Personal Data, or other requests from Data Subjects to exercise their rights under the Data Protection Laws, the decisions made and any information that was exchanged. Records must include copies of the ~~art~~request, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements details of the ~~Privacy Laws. Recipient agrees~~ data accessed and shared and, where relevant, notes of any meeting, correspondence or phone calls relating to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal~~ the request. 16.7 The Parties agree to provide reasonable assistance to each other to enable them to comply with the Data ~~has been or may have been lost~~Protection Laws including, ~~damaged or~~ but not limited to, subject ~~to unauthorized internal or external~~ access requests or any other ~~unlawful processing (~~exercise by a ~~“Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ Data Subject of its rights under ~~Privacy~~ the Data Protection Laws and to respond to any other queries or complaints from Data Subjects or regulators. 16.8 Having regard to the state of technological development and the cost of implementing such measures, each Party shall have in ~~relation to~~ place appropriate technical and organisational security measures in order to: (a) prevent: (i) unauthorised or unlawful processing of the Shared Personal ~~Data (including its rights of access, correction, objection and erasure)~~Data; ~~and~~ and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and (b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected. 16.9 Each Party shall promptly notify the other Party of any personal data breach (as defined in GDPR) which affects, or may affect, Shared Personal Data obtained from that other ~~correspondence~~Party and shall provide such additional information and assistance as the other Party may request in order to comply with Data Protection Laws. 16.10 The Supplier shall indemnify Exterion Media on demand against any and all losses, ~~inquiry~~ liabilities, claims, proceedings, settlement, damages, costs, regulatory fines and expenses arising out of or ~~complaint received from a data subject, regulator or other third party~~ in connection with any breach by the ~~processing~~ Supplier of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective its obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring this clause 15 or under the Data ~~to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy~~ Protection Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Appears in 1 contract

Sources: Terms and Conditions

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each~~ 5.1 Each party ~~will fully~~ shall comply with its ~~respective~~ obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed~~ Legislation in connection with ~~such~~ its activities under this Agreement. 5.2 If Rittman ▇▇▇▇ Processes any Personal ~~Data. Taking into account~~ Data on the ~~state of the art~~Client’s behalf when performing its obligations under this Agreement, the ~~costs~~ Client shall be the Data Controller and Rittman ▇▇▇▇ shall be a Data Processor and in any such case: (a) Client shall ensure that the Client is entitled to transfer the Personal Data to ▇▇▇▇▇▇▇ ▇▇▇▇; (b) ▇▇▇▇▇▇▇ ▇▇▇▇ shall only the Personal Data in accordance with the terms of ~~implementation~~ this Agreement and any instructions given by the ~~nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Client from time to time; (c) Rittman ▇▇▇▇ shall take appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing~~ against unauthorised or unlawful Processing of the Personal Data ~~will meet~~ or its accidental loss, destruction or damage; (d) Rittman ▇▇▇▇ shall ensure that only those of its personnel and Permitted Sub-processors who may be required to assist in it meeting its obligations under this Agreement shall have access to the ~~requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal ~~Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing~~ Data; (~~a “Security Incident”~~e) ~~and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i)~~ Rittman ▇▇▇▇ shall promptly carry out any request from ~~a data subject~~ Client requiring Rittman ▇▇▇▇ to ~~exercise any of its rights under Privacy Laws in relation to~~ amend, transfer or delete the Personal Data or any part of the Personal Data; (~~including its rights~~ f) ▇▇▇▇▇▇▇ ▇▇▇▇ shall notify Client immediately upon receiving any notice or communication from any Data Subject, supervisory or government body which relates directly or indirectly to the Processing of ~~access, correction, objection and erasure); and~~ the Personal Data; (iig) ~~any other correspondence, inquiry or complaint~~ Rittman ▇▇▇▇ shall assist Client promptly with all subject access requests which may be received from Data Subjects and shall not respond to any such request without the consent of Client; (h) Rittman ▇▇▇▇ shall provide to Client a ~~data subject, regulator or other third party in connection with~~ copy of the ~~processing of~~ Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ if requested in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified writing by ~~Provider. Recipient shall not~~ Client. 5.3 Rittman ▇▇▇▇ may transfer any Personal Data outside the EEA or the UK provided that ▇▇▇▇▇▇▇ ▇▇▇▇ ensures that such transfer is to a territory ~~outside of the European Economic Area ("EEA") unless it~~ covered by an Adequacy Decision and/or Rittman ▇▇▇▇ has ~~taken~~ ensured appropriate safeguards are in place to govern such ~~measures as are necessary to ensure the~~ transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with ~~Privacy Laws;~~ the Data Protection Legislation such as Standard Contractual Clauses or ~~to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission~~binding corporate rules. ~~Recipient~~ Rittman ▇▇▇▇ will ~~not make~~ provide Client with details of any ~~effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~such transfers on written request.

Appears in 1 contract

Sources: Service Agreement

Data Protection. ~~The~~ 15.1 With respect to the parties’ rights and obligations under this Agreement, the parties ~~acknowledge~~ agree that ~~personal data~~ Coast to Capital is the Data Controller and that the Accountable Body is the Data Processor. A description of the Personal Data processed by the Accountable Body and the processing activities undertaken by the Accountable Body is set out in Schedule 5 (Data Processing Activities). 15.2 In respect of Personal Data that the Accountable Body processes on behalf of the Coast to Capital in connection with this Agreement, the Accountable Body shall and shall procure that its Representatives shall: (a) solely process the Personal Data for the purposes of fulfilling its obligations under this Agreement and in compliance with the Coast to Capital’s written instructions as set out in this Agreement and as may be ~~transferred under this agreement~~ specified from time to time in writing by the Coast to Capital; (“b) notify Coast to Capital immediately if any instructions of Coast to Capital relating to the processing of Personal Data are unlawful; (c) not transfer to or access any Personal Data from a country outside of the United Kingdom without the prior written consent of Coast to Capital; (d) comply with Coast to Capital’s instructions in relation to transfers of Personal Data to a country outside of the United Kingdom unless the Accountable Body is required pursuant to applicable Laws to transfer Personal Data outside the United Kingdom, in which case the Accountable Body shall inform Coast to Capital in writing of the relevant legal requirement before any such transfer occurs unless the relevant Law prohibits such notification on important grounds of public interest; (e) take reasonable steps to ensure the reliability of any staff who have access to the Personal Data and ensure that all staff used by the Accountable Body to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data”; (f) ~~and each~~ ensure that none of the Accountable Body’s staff publish, disclose or divulge any of the Personal Data to any third party ~~will fully comply~~ unless directed in writing to do so by Coast to Capital; (g) not engage any sub-contractor to carry out any processing of Personal Data without the prior written consent of Coast to Capital provided that notwithstanding any such consent the Accountable Body shall remain liable for compliance with ~~its respective obligations under~~ all the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ requirements of ~~their~~ this Agreement including in relation to the processing ~~operations performed with such~~ of Personal Data~~. Taking~~ ; (h) ensure that obligations equivalent to the obligations set out in this clause 15 are included in all agreements between the Accountable Body and permitted sub- contractor who will be processing Personal Data and who have been approved in accordance with clause 25.3; (i) take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data taking into account the ~~state~~ harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the ~~art~~Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with the ~~costs~~ Data Protection Legislation; (j) upon request provide a written description of ~~implementation~~ the technical and organisational measures employed by the ~~nature~~Accountable Body pursuant to clause 15(k) (within the timescales required by Coast to Capital) and if Coast to Capital does not consider that such measures are adequate to enable compliance with the Data Protection Legislation, ~~scope~~implement such additional measures as may be specified by Coast to Capital (acting reasonably) to ensure compliance; (k) taking into account the nature of the data processing activities undertaken by the Accountable Body, ~~context~~ provide, at no cost to Coast to Capital, all possible assistance and ~~purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ co-operation (including without limitation putting in place appropriate technical and ~~organizational~~ organisational measures) to enable Coast to Capital to fulfil its obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation, including (without limitation): (l) notifying Coast to Capital within two (2) Working Days, of receiving any request from a Data Subject exercising their rights under the Data Protection Legislation; (m) complying with Coast to Capital’s instructions in relation to complying with the Data Subject’s rights under the Data Protection Legislation, which may include (without limitation) providing notices to Data Subjects in a format specified by the Council, rectifying inaccurate Personal Data, ceasing or restricting processing of Personal Data, providing access to Personal Data, permanently deleting or securely destroying Personal Data and providing copies of Personal Data in a format specified by the Accountable Body; (n) maintain a record of the Accountable Body’s processing activities in accordance with the requirements of the Data Protection Legislation; (o) assist Coast to Capital, at no cost to Coast to Capital, in ensuring compliance with the obligations set out in Articles 32 to 36 (inclusive) of the GDPR (or any equivalent legislation in the UK or any subsequent legislation) taking into account the nature of the data processing undertaken by the Accountable Body and the information available to the Accountable Body, including (without limitation): (p) providing information and assistance upon request to enable Coast to Capital to notify Data Security Breaches to the Information Commissioner’s and/or to affected individuals and/or to any other regulators to whom Coast to Capital is required to notify any Data Security Breaches; and (q) providing input into and carrying out Data Protection Impact Assessments in relation to the Accountable Body’s data processing activities; (r) ensure that it has in place appropriate technical and organisational measures ~~in such a manner~~ to ensure that processing of Personal Data ~~will meet~~ carried out by the Accountable Body in connection with this Agreement meets the requirements of the ~~Privacy Laws~~Data Protection Legislation and ensures protection of the rights of individuals under the Data Protection Legislation; (s) notify Coast to Capital immediately and in any event within twenty four (24) hours in writing if: (i) the Accountable Body or any sub-contractor engaged by or on behalf of the Accountable Body suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data; or (ii) the Accountable Body or any approved sub-contractor engaged by or on behalf of the Accountable Body receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation, and in each case the Accountable Body shall provide full co-operation, information and assistance to Coast to Capital in relation to any such Data Security Breach, complaint, notice or communication at no cost to the Accountable Body; (t) upon termination of this Agreement, at the discretion of and at no cost to the Accountable Body, delete securely or return all Personal Data to Coast to Capital and delete all existing copies of the Personal Data unless and to the extent that the Accountable Body is required to retain copies of the Personal Data in accordance with applicable Laws in which case the Accountable Body shall notify Coast to Capital in writing of the applicable Laws which require the Personal Data to be retained. ~~Recipient agrees~~ In the event the Personal Data is deleted or destroyed by the Accountable Body, the Accountable Body shall provide Coast to ~~notify Provider within~~ Capital with a ~~period~~ certificate of ~~48 hours where Recipient becomes aware of or reasonably suspects~~ destruction evidencing that the Personal Data has been destroyed or ~~may have been lost~~deleted; (u) make available to Coast to Capital at no cost to Coast to Capital all information necessary to demonstrate compliance with the obligations set out in this clause 15 and, ~~damaged or subject~~ upon request, allow the Accountable Body, the Information Commissioner’s Office and its representatives access to ~~unauthorized internal or external access or any other unlawful processing~~ the Accountable Body’s Premises, records and Personnel for the purposes of assessing the Accountable Body’s compliance with its obligations under this clause 15; and (~~a “Security Incident”~~v) indemnify Coast to Capital from and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data against all costs, expenses (including ~~its rights~~ legal and other professional fees and expenses), losses, damages and other liabilities or whatever nature (whether contractual, tortious or otherwise) suffered or incurred by Coast to Capital and arising out of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry~~ or ~~complaint received from a data subject, regulator or other third party~~ in connection with any breach by the ~~processing~~ Accountable Body or any sub-contractors of ~~Personal Data (collectively, "Correspondence"), it~~ this clause 15. 15.3 The provisions of this clause 15 shall ~~promptly inform Provider and~~ apply during the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside continuance of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; Agreement and indefinitely after its expiry or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donortermination.

Appears in 1 contract

Sources: Accountable Body Agreement

Data Protection. The parties ~~acknowledge~~ agree that ~~personal data~~ in respect of: University Personal Data, the University shall be the Controller and the Provider shall be the Processor; and Provider Personal Data, Provider shall be the Controller and the University shall be the Processor. Each party shall comply with DP Laws and its relevant obligations as Processor and Controller under this Agreement. The Processor shall procure that any Sub-Processor that has access to Protected Data shall comply with the Processor’s obligations under this Agreement. The processing to be carried out by the Processor under this Agreement is for the purpose of enabling the Provider to carry out the Project for the Term. The Personal Data includes: (i) the University’s employee names and email addresses; (ii) the Provider’s employees names, email addresses and copies of their CV’s; and (iii) any other Personal Data which may be ~~transferred~~ included on project reports provided by the Provider to the University. Where the Processor processes Protected Data on behalf of Controller, the Processor shall (and shall procure that any person acting under its authority who has access to Protected Data): process the Protected Data only on and in accordance with Controller’s documented instructions as set out in this ~~agreement~~ clause 15 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsProcessing Instructions”); and immediately inform Controller of any legal requirement under applicable law that would require the Processor to process the Protected Data otherwise than only on the Processing Instructions, or if any Controller instruction infringes DP Laws. The ~~parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art~~Processor shall implement and maintain, ~~the costs of implementation~~ at its cost and ~~the nature~~expense, ~~scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ appropriate technical and ~~organizational~~ organisational measures in ~~such a manner that~~ relation to the processing of ~~Personal~~ Protected Data by the Processor: such that the processing will meet the requirements of DP Laws and ensure the ~~Privacy~~ protection of the rights of Data Subjects; and so as to ensure a level of security in respect of Protected Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed. Without prejudice to clause 15.5.2, the Processor shall, in respect of all Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in DP Laws, all relevant Controller policies and in this Agreement. ~~Recipient agrees~~ The Processor shall not engage another Processor to ~~notify Provider within~~ perform specific processing activities in respect of the Protected Data without Controller’s prior written consent and, if the Controller gives its consent, the Processor shall appoint the Sub-Processor under a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing binding written contract (a “~~Security Incident~~Processor Contract”) which imposes the same data protection obligations as are contained in this Agreement on the Sub-Processor, in particular under clause 15.5 and the conditions in this clause 15.7 for engaging another Processor. The Processor shall ensure that Processor personnel processing Protected Data are under an obligation to keep Protected Data confidential, and take all reasonable steps to ~~mitigate~~ ensure that the ~~impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal~~ Processor personnel processing Protected Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection~~ receive adequate training on compliance with ~~the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ this clause 15 and the ~~parties~~ DP Laws applicable to the processing. The Processor shall ~~cooperate~~ implement and maintain, at its cost and expense, appropriate technical and organisational measures to assist the Controller in ~~good faith as necessary~~ the fulfilment of Controller’ obligations to respond to ~~such Correspondence~~ Data Subject Requests relating to Protected Data, including to ensure that all Data Subject Requests it receives are recorded and ~~fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ then referred to the ~~processing~~ Controller within three (3) days of ~~Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ receipt of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorrequest.

Appears in 1 contract

Sources: Call Down Framework Agreement

Data Protection. ~~The~~ Each of the parties ~~acknowledge that personal data may be transferred~~ shall in the course of performing its obligations under this ~~agreement~~ Agreement comply with the provisions of the Applicable Data Protection Legislation. For the purposes of this Clause 14, the parties agree and acknowledge that: whilst the factual arrangement between the parties dictates the classification of each party as a ‘Controller’ or ‘Processor’ under the Applicable Data Protection Legislation, the parties anticipate that the Customer shall be the Controller and Swiss Post Solutions shall be the Processor where Swiss Post Solutions is processing Personal Data in connection with its provision of the Services; the description provided in Schedule [11] (“Data Protection Particulars) is an accurate description of the Data Protection Particulars; Swiss Post Solutions may have access to Personal Data (including ‘sensitive’ or ‘special categories’ of Personal Data”) ~~and each party will fully comply with~~ in its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state provision of the ~~art~~Services. Where Swiss Post Solutions processes Personal Data as a Processor on behalf of the Customer, Swiss Post Solutions shall: process the ~~costs~~ Personal Data only in accordance with the terms of ~~implementation~~ this Agreement and the ~~nature, scope, context and purposes~~ documented instructions of ~~processing as well as~~ the ~~risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ Customer; implement appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; ensure that all individuals who it permits to process Personal Data are bound by enforceable obligations of confidentiality; save where such countries have been deemed by the European Commission to be providing an adequate level of protection pursuant to the relevant provisions of the Applicable Data Protection Legislation, not transfer Personal Data outside the European Economic Area without the written instructions of the Customer. Notwithstanding the foregoing, Swiss Post Solutions is expressly permitted and instructed by the Customer that it may transfer Personal Data to any other Swiss Post Solutions Group Member and any other third parties, subject to first ensuring that adequate protections are in place to protect the Personal Data consistent with the requirements of the ~~Privacy Laws. Recipient agrees to~~ Applicable Data Protection Legislation; notify ~~Provider within a period of 48 hours where Recipient~~ the Customer without undue delay if it becomes aware of ~~or reasonably suspects that~~ a Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Breach in relation to Personal Data ~~(including its rights~~ processed pursuant to this Agreement; taking into account the nature of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ the processing ~~of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider~~ and the ~~parties shall cooperate~~ information available to Swiss Post Solutions and the price paid by the Customer, assist the Customer in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ ensuring the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in Customer's compliance with the ~~Privacy Laws. Such measures may include transferring~~ Customer's obligations under the Applicable Data Protection Legislation in relation to ~~a country that the European Commission has decided provides adequate protection for personal data;~~ Personal Data processed pursuant to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this Agreement:

Appears in 1 contract

Sources: Service Agreement

Data Protection. ~~The parties acknowledge~~ 15.1 Notwithstanding the remaining provisions hereof, each of Absa and Supplier hereby warrants and represents to the other that ~~personal data~~ in the event that they Process any Personal Data, they will comply with Personal Data Protection Act, 2022 and its Regulations and such compliance will include, but not be limited to, maintaining a valid and up to date registration or notification (where applicable) under the Personal Data Protection Act, 2022. 15.2 Each of Absa and the Supplier hereby warrants and represents to the other that they have collected all necessary consents and done all such things as may be ~~transferred~~ required under the Data Protection Legislation and any other applicable law relating to the protection of privacy, for the transfer of the Personal Data to the other party for the purposes of the other party Processing it as contemplated by this ~~agreement (“~~Agreement. 15.3 The Supplier will not process, transfer or permit access to any Personal Data outside the jurisdiction within or from which the Supplier's obligations are being performed or the Personal Data is being processed save to the extent notified to Absa in writing in advance and in compliance with all Data Protection Legislation and any other applicable law relating to the protection of privacy or the access to information. 15.4 The Supplier will notify Absa promptly and in any event within twenty-four hours of becoming aware of any actual, suspected or alleged loss, leak or unauthorised Processing of any Personal Data”. 15.5 The Supplier will notify Absa promptly upon receiving a request for information made in terms of the Personal Data Protection Act, 2022, claim, complaint or allegation relating to Absa’s compliance with the Data Protection Legislation in relation to the Personal Data (the Enquiry) and ~~each party~~ the Supplier will ~~fully comply~~ provide Absa with ~~its respective obligations under~~ all such assistance in dealing with and responding to such Enquiry as Absa will reasonably request, provided always that the ~~General~~ Supplier will not take any other action in relation to any such Enquiry without the prior written authorisation of Absa. 15.6 The Supplier will implement appropriate technical and organisational measures to protect Personal Data ~~Protection Regulation (EU)2016/679~~ against unlawful processing and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ against accidental loss, destruction, damage, alteration or disclosure of ~~their processing operations performed with such~~ the Personal Data. ~~Taking into account~~ Such measures will be appropriate to the ~~state of~~ harm that might result from unauthorised or unlawful Processing or accidental loss, destruction or damage to Personal Data and to the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing nature of Personal Data to be protected and will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take include taking reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of ~~any such Security Incident.~~ employees having access to the Personal Data. 15.7 In the event that ~~Recipient receives (i)~~ a third party processes any ~~request from a data subject~~ Personal Data on behalf of the Supplier, the Supplier will procure compliance by such third party with the Data Protection Legislation. 15.8 Any other applicable law relating to ~~exercise any~~ the protection of ~~its rights under Privacy Laws~~ privacy or the access to information and with the terms of this letter and, as between Supplier and Absa, the Supplier will be responsible for the acts or omissions of such third party in relation to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry~~ such processing as though they were the Supplier’s acts or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donoromissions.

Appears in 1 contract

Sources: Purchase Agreement

Data Protection. 8.1 The ~~parties acknowledge~~ Merchant acknowledges and agrees that details of the Merchant's name, address and payment record may be submitted to a credit reference agency and personal data ~~may~~ will be ~~transferred under this agreement (“Personal Data”)~~ processed by and ~~each~~ on behalf of Handepay and its suppliers in connection with the Services. 8.2 Each party ~~will fully~~ shall comply with its respective obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation and ~~applicable complementing national laws (jointly “Privacy Laws”)~~as specified in this clause 8. Neither party shall do any act that puts the other party in breach of its obligations set out in this clause 8 and nothing in this Agreement shall be deemed to prevent any party from taking the steps it reasonably deems necessary to comply with the Data Protection Legislation. 8.3 The parties ~~are independent controllers~~ acknowledge and agree that Handepay processes personal data on the Merchant’s behalf when performing its obligations under this Agreement, and the parties record their intention that the Merchant shall be the data controller and Handepay shall be a data processor and in any such case: 8.3.1 the Merchant shall ensure that it is entitled to transfer the relevant personal data to Handepay so that Handepay may lawfully use, process and transfer the personal data in accordance with this Agreement on the Merchant's behalf; 8.3.2 the Merchant shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 8.3.3 the Merchant agrees that Handepay can appoint a sub-contractor to process the personal data (and at this date that sub-contractor is Cardstream Partners Limited and if the sub-contractor changes Handepay will notify the Merchant), but shall ensure that any contract with the sub—contractor reflects the terms of ~~their processing operations performed~~ this clause 8. 8.3.4 Handepay agrees that it will i. only process the personal data in accordance with instructions from the Merchant, which may be specific instructions or standing instructions of general application in relation to the Services, whether set out in this Contract or otherwise notified to Cardstream; ii. unless otherwise agreed in writing, only process the personal data to the extent and in such ~~Personal Data. Taking into account~~ manner as is necessary for the ~~state~~ provision of the ~~art~~Services or as is required by law or any regulatory body or otherwise as appropriate including where necessary involving credit reference, ~~the costs of implementation~~ fraud prevention and ~~the nature, scope, context~~ law enforcement agencies and ~~purposes of processing as well as the risk of varying likelihood~~ other organisations in relation to preventing fraud and ~~severity for the rights and freedoms of data subjects, Recipient will~~ money laundering; iii. maintain ~~appropriate~~ sufficient technical and ~~organizational~~ organisational measures ~~in such a manner that~~ to prevent unauthorised or unlawful processing of ~~Personal Data will meet~~ personal data and to prevent any loss, destruction or unauthorised disclosure of personal data having regard to the ~~requirements~~ nature of the ~~Privacy Laws. Recipient agrees~~ personal data to ~~notify Provider~~ be protected and inform the Merchant promptly and in any event within ~~a period of~~ 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any ~~such Security Incident~~breach of security affecting or compromising the Merchant's personal data; iv. In promptly notify the ~~event that Recipient~~ Merchant if it receives ~~(i) any~~ a request from a data subject (as defined in the Data Protection Legislation) to ~~exercise~~ have access to personal data or any ~~of its rights~~ other complaint or request relating to the Merchant’s obligations under ~~Privacy Laws~~ the Data Protection Legislation and provide full co-operation and assistance to the Merchant in relation to ~~Personal~~ any such complaint or request (including, without limitation, by allowing data subjects to have access to their personal data); v. not transfer the personal data outside of the EEA without the consent of the Merchant; and vi. otherwise provide reasonable assistance to the Merchant as necessary to allow the Merchant to comply with the Data Protection Legislation. 8.4 The Merchant warrants and undertakes that any instructions given by it to Handepay (~~including its rights~~ whether specific or non-specific) in respect of ~~access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ the processing of ~~Personal Data (collectively, "Correspondence"), it~~ personal data shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization at all times be in accordance with ~~Privacy Laws;~~ the requirements of the Data Protection Legislation and that compliance with such instructions by Handepay in its provision of the Services shall not put the Merchant or to Handepay in breach of the Data Protection Legislation. 8.5 The Merchant recognises that a ~~Recipient~~ breach of the Data Protection Legislation would severely impact the reputation and shareholder value of Handepay and therefore agrees that ~~has executed standard contractual clauses adopted or approved~~ it will on demand fully and effectively indemnify Handepay and keep Handepay fully indemnified against any loss, liability and costs incurred as a result of any breach of the Data Protection Legislation by the ~~European Commission~~Merchant. 8.6 Any obligation on Handepay or the Merchant under this clause 8 to do, or refrain from doing, any act or thing shall include an obligation on Handepay or the Merchant respectively to procure that its employees, agents and sub- contractors (if any) also do, or refrain from doing, such act or thing. 8.7 As a data processor, Handepay will process personal data in accordance with its Privacy Policy. ~~Recipient will not make any effort to identify individuals who are or may be the donors~~ A copy of the ~~Original Material~~ Policy is available on the Handepay website and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~an electronic copy can be requested at any time.”

Appears in 1 contract

Sources: Gateway Services Agreement

Data Protection. 2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. 2.2 The parties acknowledge that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ for the ~~General~~ purposes of the Data Protection ~~Regulation (EU)2016/679~~ Legislation, the 3DCrowd is the Controller and ~~applicable complementing national laws (jointly “Privacy Laws”).~~ the Volunteer Admin/Coordinator is the Processor. 2.3 The ~~parties are independent controllers~~ scope, nature and purpose of ~~their~~ processing ~~operations performed with such Personal Data. Taking into account~~ by the ~~state~~ Volunteer Admin/Coordinator, the duration of the ~~art, the costs of implementation~~ processing and the ~~nature, scope, context~~ types of Personal Data and categories of Data Subject are set out in the attached Schedule. 2.4 3DCrowd will ensure that it has all necessary consents and notices in place to enable lawful transfer of the Personal Data to the Volunteer Admin/Coordinator for the duration and purposes of ~~processing~~ this Agreement. 2.5 The Volunteer Admin/Coordinator shall, in relation to any Personal Data processed under the Terms of Service and this Agreement: (a) only process the Data as ~~well~~ strictly necessary to provide the Service, or as ~~the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ otherwise instructed in writing by 3DCrowd; (b) ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, reviewed and approved by 3DCrowd, to protect against unauthorised or unlawful processing of Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within~~ and/or a ~~period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been~~ Breach, appropriate to the harm that might result; (c) if the Volunteer Admin/Coordinator is a company or ~~may have been lost~~organisation, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event ensure that ~~Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ all personnel who process Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with are obliged to keep the ~~processing of~~ Personal Data confidential; (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall d) not transfer any Personal Data ~~to a territory~~ outside of the United Kingdom or European Economic Area without the prior written consent of 3DCrowd; (~~"EEA"~~e) pass any requests relating to Data Subjects' rights to 3DCrowd as soon as practicable without responding directly unless ~~it has taken~~ 3DCrowd provides written permission, and assist 3DCrowd, at 3DCrowd's cost, in responding to any such ~~measures as are~~ requests; (f) assist 3DCrowd, at 3DCrowd's cost, in ensuring compliance with its obligations under Data Protection Legislation with respect to security, data protection impact assessments and consultations with supervisory authorities; (g) notify 3DCrowd without undue delay on becoming aware of a Personal Data Breach; (h) at the written direction of 3DCrowd, delete or return Personal Data and copies thereof to 3DCrowd on termination of the Agreement; and (i) provide to 3DCrowd on request all information necessary to ~~ensure the transfer is in~~ demonstrate its compliance with this Agreement. (j) 3DCrowd does not consent to the ~~Privacy Laws. Such measures may include transferring~~ Volunteer Admin/Coordinator appointing any third party processor of Personal Data under this Agreement, with the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors exception of the ~~Original Material and may not combine Data or results~~ use of mainstream consumer-facing products that are considered market standard in the ~~Project with other data which may result in identification of a donor.~~UK e.g.

Appears in 1 contract

Sources: Data Processing Agreement

Data Protection. a. Data Ownership- The ~~parties acknowledge~~ Department will own all rights, title, and interest in its data that ~~personal data may be transferred under~~ is related to this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Agreement. The ~~parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ Provider shall not access public jurisdiction user accounts or public jurisdiction data, except (1) in the ~~state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms~~ course of data ~~subjects~~center operations, ~~Recipient will maintain appropriate~~ (2) in response to service or technical ~~and organizational measures in such a manner that processing~~ issues, (3) as required by the express terms of ~~Personal Data will meet~~ this contract, or (4) at the ~~requirements~~ Department’s written request. b. Loss of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. Data- In the event ~~that Recipient receives (i)~~ of loss of any ~~request from a~~ Department data ~~subject~~ or records where such loss is due to ~~exercise~~ the intentional act, omission, or negligence of the Provider or any of its ~~rights under Privacy Laws~~ subcontractors or agents, the Provider shall be responsible for recreating such lost data in ~~relation~~ the manner and on the schedule set by the Department. The Provider shall ensure that all data is backed up and is recoverable by the Licensee. In accordance with prevailing federal or Department law or regulations, the Provider shall report the loss of non-public data as directed in this agreement. c. Protection of data and personal privacy (as further described and defined in this agreement) shall be an integral part of the business activities of the Provider to ~~Personal Data (including its rights~~ ensure there is no inappropriate or unauthorized use of Department information at any time. To this end, the Provider shall safeguard the confidentiality, integrity, and availability of Department information as further indicated in this section. d. The Provider shall implement and maintain appropriate administrative, technical, and organizational security measures to safeguard against unauthorized access, ~~correction~~disclosure, ~~objection~~ or theft of Confidential Information and ~~erasure);~~ non-public data. Such security measures shall be in accordance with recognized industry practice and ~~(ii)~~ not less stringent than the measures the Provider applies to its own Confidential Information and non-public data of similar kind. e. All Confidential Information shall be encrypted at rest and in transit with controlled access, including back-ups. Unless otherwise stipulated, the Provider is responsible for the encryption of the Confidential Information. All data collected or created in the performance of this contract shall become and remain property of the Department. f. Unless otherwise stipulated, the Provider shall encrypt all non-public data at rest and in transit. The Department shall identify to the Provider the data it deems non-public. The level of protection and encryption for all non-public data shall be identified and made a part of this Agreement. g. At no time shall any ~~other correspondence~~data or processes – that either belong to or are intended for the use of the Department or its officers, ~~inquiry~~ agents or ~~complaint received from a data subject~~employees – be copied, ~~regulator~~ disclosed, or ~~other third~~ retained by the Provider or any party related to the Provider for subsequent use in any transaction that does not include the Department. h. The Provider shall not use any information collected in connection with the ~~processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and~~ service issued under this Agreement for any purpose other than fulfilling the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorservice.

Appears in 1 contract

Sources: Medical Marijuana Application Programming Interface User Agreement

Data Protection. ~~The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each~~ 16.1 Each party ~~will fully~~ shall comply with ~~its respective~~ all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679~~ Legislation. 16.2 The Organiser and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ the ~~state~~ Sponsor acknowledge that for the purposes of the ~~art~~Data Protection Legislation, either party may be the Data Controller depending upon what is specified in the Order Form. 16.3 Without prejudice to the generality of clause 16.1, the ~~costs~~ Data Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of ~~implementation and~~ the ~~nature, scope, context~~ Personal Data to the Data Processor for the duration and purposes of ~~processing as well~~ this Agreement. 16.4 Without prejudice to the generality of clause 16.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by it of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Data Controller unless the Data Processor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Data Processor to process Personal Data (Applicable Laws). Where the Data Processor is relying on laws of a member of the European Union or European Union law as the ~~risk~~ basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of ~~varying likelihood and severity for~~ this before performing the ~~rights and freedoms of data subjects, Recipient will maintain~~ processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller; (b) ensure that it has in place appropriate technical and ~~organizational measures in such a manner that~~ organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data ~~will meet~~ and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the ~~requirements~~ harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the ~~Privacy Laws. Recipient agrees~~ data to ~~notify Provider within a period~~ be protected, having regard to the state of ~~48 hours~~ technological development and the cost of implementing any measures (those measures may include, where ~~Recipient becomes aware of or reasonably suspects that~~ appropriate, pseudonymising and encrypting Personal ~~Data has been or may have been lost~~Data, ~~damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”)~~ ensuring confidentiality, integrity, availability and ~~to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any~~ resilience of its ~~rights under Privacy Laws in relation~~ systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (~~including its rights of access, correction, objection and erasure); and (ii~~c) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ ensure that all personnel who have access to and/or process Personal Data ~~(collectively, "Correspondence"), it shall promptly inform Provider and~~ are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data ~~identified by Provider. Recipient shall~~ confidential; and (d) not transfer any Personal Data ~~to a territory~~ outside of the European Economic Area ~~("EEA")~~ unless ~~it has taken such measures as are necessary to ensure~~ the ~~transfer is in compliance with the Privacy Laws. Such measures may include transferring~~ prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: (i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to ~~a country~~ the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the ~~European Commission has decided provides adequate protection for personal data;~~ Data Processor complies with reasonable instructions notified to ~~a Recipient that has achieved binding corporate rules authorization~~ it in ~~accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved~~ advance by the ~~European Commission. Recipient will not make any effort~~ Data Controller with respect to ~~identify individuals who are or may be~~ the ~~donors~~ processing of the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~Personal Data;

Appears in 1 contract

Sources: Event Sponsorship Agreement

Data Protection. 9.1 The parties ~~acknowledge that~~ will observe all provisions of the relevant data protection laws and regulations, insofar as the violation of such provisions affects the interests of the other party and/or the data subject involved. This includes the obligation of the Client to duly inform involved data subjects about the processing of their personal data ~~may be transferred~~ by Ortus Telematics under the instruction of the Client. 9.2 Ortus Telematics shall only collect, process, store and use personal data, and the Resource Data, to the extent that such is necessary for the performance of this ~~agreement (“Personal Data”)~~ Agreement and ~~each~~ the improvement of the Ortus Insight Service. 9.3 The Client instructs Ortus Telematics to collect, process, store and use their Resource Data for the purpose as included under Clause 9.2 above. 9.4 The Client approves that Ortus Telematics is allowed to outsource the hosting of its data centers to a third party ~~will fully comply with~~ within the European Economic Area. Ortus Telematics warrants that such third party is legally bound to the relevant provisions of this Agreement and to its respective obligations under the ~~General~~ provisions of the data protection laws as a “Data Processor“ as defined in the European Data Protection ~~Regulation~~ Directive (~~EU)2016/679~~ 95/46/EC). 9.5 The Client may revoke its consent for the collection, processing, storage and ~~applicable complementing national laws~~ use of the Resource Data in relation to this Agreement at any time. Such revocation must be presented to Ortus Telematics in writing and shall not affect the Agreement and will leave the Client’s obligations (~~jointly “Privacy Laws”)~~including payment obligations) under the Agreement intact. The ~~parties are independent controllers~~ Client acknowledges that as a result of ~~their~~ such revocation Ortus Telematics may not be able to provide the Ortus Insight Service. 9.6 Ortus Telematics shall implement appropriate technical and organisational measures to protect any personal data collected under the Agreement against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing ~~operations performed with such Personal Data~~involves the transmission of data over a network, and against all other unlawful forms of processing. ~~Taking into account~~ Having regard to the state of the ~~art, the costs of implementation~~ art and the ~~nature~~cost of their implementation, ~~scope, context~~ such measures shall ensure a level of security appropriate to the risks represented by the processing and ~~purposes~~ the nature of ~~processing as well as~~ the ~~risk of varying likelihood and severity for~~ data to be protected. 9.7 The parties acknowledge that they have agreed that the ~~rights and freedoms of~~ Client will respond to enquiries from data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with governmental and/or judicial body concerning the processing of ~~Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate~~ personal data by Ortus Telematics. The Client should have sufficient processes in ~~good faith as necessary~~ place to ~~respond to~~ handle such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorenquiries.

Appears in 1 contract

Sources: General Terms and Conditions

Data Protection. 8.1 The ~~parties~~ Parties acknowledge and agree that ~~personal data may be transferred~~ in relation to the Processing of Lead Data, each Party acts as an independent Controller (as applicable). 8.2 The Parties acknowledge and agree that: 8.2.1 the Broker collects, discloses and otherwise Processes the Lead Data for the purposes of generating sales leads (and earning commission from the same) from Customers and the Broker determines, in its sole discretion the purpose, the means of Processing, the legal basis for the Processing as described in the Broker’s privacy policy, statement or other notice containing the mandatory provisions required under ~~this agreement~~ Data Protection Law (“~~Personal Data~~BPP”) and ~~each party will fully~~ whether or not to share the Lead Data with the Lender; 8.2.2 the Lender receives and otherwise processes the Lead Data from the Broker in connection with the HP Agreement, related pre-contractual steps or Complaints and the Lender determines, in its sole discretion that purpose, the means of Processing (namely the method and manner in which the Lead Data are Processed to perform the HP Agreement, resolve Complaints and perform related marketing activities), the legal basis for such Processing, as described in the Lender’s privacy policy, statement or other notice containing the mandatory provisions required under Data Protection Law (“LPP”); and 8.2.3 neither Party contributes to or has control over the contents of the privacy policy of the other Party nor does it have any control over the continuing use of the Lead Data by the other Party. 8.3 Each Party shall (and procure that its employees, staff, workers, agents, subcontractors and consultants (together, “Related Persons”) shall) comply with its ~~respective~~ obligations under ~~the General~~ all Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Law in relation to its Processing of the ~~art~~Lead Data and shall process the Lead Data in accordance with its privacy policy (the BPP or LPP as applicable). 8.4 The Broker shall: 8.4.1 within 2 calendar days of Lender’s written request, provide a current copy of the BPP to the Lender and shall notify the Lender 14 calendar days prior to its publication or disclosure of any updates or changes to the BPP or of any changes to the legal bases on which the Broker relies to disclose to the Lender any Lead Data together with a written explanation for all such changes; 8.4.2 ensure that it has valid legal basis to collect, receive, Process and disclose to the Lender, and, without prejudice to the foregoing, that the Broker does not supply any Lead Data to the Lender in relation to a Customer to whom the BPP and the LPP have not been made available at the time the Lead Data was collected from that Customer; 8.4.3 provide to Lender within 7 calendar days of its written request: (a) a copy of any consent statement on which the Broker relies to obtain consent to Process Lead Data; or (b) any assessment or professional opinion or advice obtained or produced relating to the validity of any legal basis relied on by the Broker for the Processing of the Lead Data; 8.4.4 ensure that a copy of the BPP is provided to all Customers at the point of collection of the Lead Data and that a hyperlink to the LPP or the LPP itself (as specified by the Lender in writing to the Broker) is included on the form, page or other communication used to collect the Lead Data from Customers; 8.4.5 promptly (at the Broker’s cost) provide co-operation and assistance to the Lender, any Regulator and/or any Data Subject, as requested by the Lender in writing in connection with the Lender’s obligations, or such Regulator or Data Subject’s rights, under Data Protection Law (including in relation to any data protection impact assessment and/or by entering into such additional contractual terms as the Lender may require); 8.4.6 ensure that: (a) the Broker does not by its or its subcontractors’ act or omission cause the Lender to breach Data Protection Law; (b) prior to its transmission to the Lender, the ~~costs of implementation~~ Lead Data has not been transferred, or otherwise directly or indirectly disclosed or made available, to any location outside the UK and European Economic Area; and (c) the ~~nature, scope, context~~ Lead Data supplied to the Lender is accurate and ~~purposes of processing as well as the risk of varying likelihood~~ complete; 8.4.7 implement and ~~severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational measures ~~in such~~ to ensure a ~~manner that processing~~ level of security over all Personal Data ~~will meet~~ Processed appropriate to the ~~requirements~~ risk and comply with the provisions of Schedule 5 (Minimum Security Requirements); 8.4.8 fully and immediately (and in any event within 2 calendar days) notify the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives Lender in writing: (i) if in relation to any Customer, the Broker has not fulfilled its obligations under this clause 8.4.8; (ii) if it discovers that any of the Lead Data or Personal Data provided to Lender is inaccurate or incomplete; (c) with details of any request from ~~a data subject to exercise~~ or on behalf of any of Data Subject exercising its rights under ~~Privacy Laws in relation to Personal~~ Data (Protection Law including ~~its rights of~~ requests for access, ~~correction~~rectification or erasure of Lead Data or other Personal Data, or any complaint, objection to Processing, or other correspondence. In no event shall the Broker respond directly to any such request, complaint or correspondence without the Lender’s prior written consent unless and ~~erasure)~~to the extent required by Applicable Law or where the request, complaint or correspondence is unrelated to the Processing activities of the Lender; and (iid) of any ~~other correspondence~~suspected, ~~inquiry~~ potential, actual or ~~complaint received from a data subject~~threatened Personal Data Breach or security breach involving any Personal Data Processed by the Broker, ~~regulator~~ including the Lead Data. 8.5 The Broker acknowledges the Lender may receive and Process Personal Data relating to Related Persons or other ~~third party~~ individuals connected with the Broker in connection with the ~~processing~~ Broker’s performance, or the Lender’s or Broker’s administration or management, of the Agreement. The Broker acknowledges and agrees that the Lender shall Process such data in connection with its business activities acting as an independent Controller. The Broker shall ensure (and shall procure any relevant third parties shall ensure) that, prior to the receipt of such Personal Data by the Lender, all such individuals are provided with any notices and other information (~~collectively~~or hyperlinks to the same) supplied by the Lender from time to time to the Broker for this purpose. 8.6 The Broker shall indemnify the Lender in full, ~~"Correspondence")~~on demand, ~~it shall promptly inform Provider~~ against all all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, expenses, actions, demands and legal and other professional costs (calculated on a full indemnity basis) or proceedings awarded against, suffered, incurred or paid by the ~~parties shall cooperate~~ Lender arising out of or in ~~good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ connection with any breach by the ~~processing~~ Broker of ~~Personal Data identified~~ this clause 8 including all amounts paid or payable by ~~Provider. Recipient shall not transfer any Personal Data~~ the Lender to a ~~territory outside~~ third party which would not have been paid or payable if the Broker’s breach of ~~the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws~~this clause 8 had not occurred. ~~Such measures may include transferring the Data~~ Any reference to a ~~country that the European Commission has decided provides adequate protection for personal data;~~ Party in this clause 8 shall be deemed to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorinclude its Related Persons.

Appears in 1 contract

Sources: Hire Purchase Agreement

Data Protection. 12.2.1 The ~~parties~~ Parties acknowledge their respective duties under the Data Protection Legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. 12.2.2 To the extent that ~~personal data may be transferred~~ the Recipient is acting as a Data Processor on behalf of the CIOS LEP, the Recipient shall, in particular, but without limitation: (a) only process such Personal Data and/or Sensitive Personal Data as is necessary to perform its obligations under this ~~agreement~~ Agreement, and only in accordance with any instruction given by CIOS LEP under this Agreement; (“b) put in place appropriate technical and organisational measures against any unauthorised or unlawful processing of such Personal Data and/or Sensitive Personal Data”) , and ~~each party will fully comply with its respective obligations under~~ against the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers~~ accidental loss or destruction of ~~their processing operations performed with~~ or damage to such Personal ~~Data. Taking into account~~ Data and/or Sensitive Personal Data having regard to the specific requirements in this Agreement, the state of ~~the art, the costs of implementation~~ technical development and the ~~nature, scope, context and purposes~~ level of ~~processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such~~ harm that may be suffered by a ~~manner that processing of~~ Data Subject whose Personal Data ~~will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ and/or Sensitive Personal Data ~~has been~~ is affected by such unauthorised or ~~may have been lost, damaged or subject to unauthorized internal or external access or any other~~ unlawful processing or by its loss, damage or destruction; (~~a “Security Incident”~~c) ~~and to~~ take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of staff who will have access to such Personal Data and/or Sensitive Personal Data, and ensure that such staff are properly trained in protecting Personal Data and Sensitive Data; (d) provide CIOS LEP with such information as CIOS LEP may reasonably require to satisfy itself that the Recipient is complying with its obligations under the Data Protection Legislation ; (e) promptly notify CIOS LEP of any ~~such Security Incident. In~~ requests for disclosure of or access to the ~~event~~ Personal Data and/or Sensitive Personal Data; (f) promptly notify CIOS LEP of any breach of the security measures required to be put in place pursuant to this clause 12.2.2; (g) ensure it does not knowingly or negligently do or omit to do anything which places CIOS LEP in breach of the obligations of CIOS LEP under the Data Protection Legislation; (h) to the extent that any CIOS LEP data is held and/or processed by the Recipient, the Recipient ~~receives~~ shall supply the CIOS LEP data to CIOS LEP as requested by CIOS LEP; (i) ensure that it is registered under the Data Protection Legislation and the registration covers any ~~request from a data subject to exercise any of its rights~~ processing required under ~~Privacy Laws in relation to~~ this Agreement. 12.2.3 The Recipient and CIOS LEP shall ensure that Personal Data ~~(including its rights of access, correction, objection~~ and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of~~ Sensitive Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization safeguarded at all times in accordance with ~~Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by~~ the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorlaw.

Appears in 1 contract

Sources: Funding Agreement

Data Protection. 16.1 The parties ~~acknowledge that~~ agree that: 16.1.1 the provisions of this clause 16 shall apply to any personal data ~~may be transferred under this agreement~~ which is included in the Data (“~~Personal~~ Relevant Data”) ); and 16.1.2 the Licensee is the data controller and ~~each party will fully comply~~ the Licensor is the data processor in respect of any Relevant Data the Licensor processes in connection with ~~its respective obligations under~~ the ~~General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The~~ Agreement. 16.2 Where required by data protection laws, the parties ~~are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ shall include in the ~~state~~ Agreement a description of the ~~art,~~ relevant processing activities to be carried out by the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Licensor in relation to ~~Personal~~ the Relevant Data (including ~~its~~ the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data being processed, the categories of data subjects and the obligations and rights of ~~access, correction, objection~~ the Licensee as data controller) via a written amendment agreed and ~~erasure); and (ii) any other correspondence, inquiry or complaint received from a~~ signed by both parties. 16.3 Each party undertakes to comply in all material respects with all of its obligations under applicable data ~~subject, regulator or other third party~~ protection laws which arise in connection with the processing of ~~Personal~~ Relevant Data ~~(collectively~~in accordance with the Agreement, ~~"Correspondence"), it shall promptly inform Provider~~ and to not knowingly act in a way that causes the ~~parties shall cooperate~~ other party to be in ~~good faith as necessary to respond to such Correspondence and fulfill their respective~~ breach of its own obligations under ~~Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ applicable data protection laws with respect to the Relevant Data. 16.4 The Licensee hereby consents to the processing of ~~Personal~~ the Relevant Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory~~ outside of the European Economic ~~Area ("EEA") unless~~ Area. Relevant Data may be transferred in order for the Licensor to manage certain security processes such as access control and for disaster recovery purposes. The Licensor considers that such transfers will be necessary for the efficient and effective performance of the Licensor’s obligations under the Agreement. 16.5 If the Licensor becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of or access to any Relevant Data that it ~~has taken such measures as are necessary to ensure the transfer is~~ processes in ~~compliance~~ connection with the ~~Privacy Laws. Such measures may include transferring~~ Agreement (a Security Incident) it shall promptly, but in all cases within three days, notify the Licensee and provide the Licensee with all reasonable assistance and co-operation that it requires in connection with the Security Incident. 16.6 Where a third party processing Relevant Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors on behalf of the ~~Original Material and may not combine Data~~ Licensor, including any the Licensor group company or ~~results~~ subcontractor fails to fulfil its obligations under any sub-processing agreement or any applicable data protection laws, the Licensor shall remain fully liable to the Licensor for the fulfilment of the ~~Project with other data which may result in identification of a donor~~Licensor’s obligations under the Agreement.

Appears in 1 contract

Sources: Software License Agreement

Data Protection. 8.1 We shall provide the Services via our cloud-based platform for the duration of the Agreement. We shall provide a secure platform for you to access the Services and provide the Approach in your Organisations. The ~~parties~~ Personal Information processed by us shall consist of information relating to children in your Organisations, Members and Account Managers and less frequently information relating to the families of children and individuals from support services who may be involved with the children. The personal information may consist of information relating to the education and home life of the children, how they have interacted with Members whilst engaging with the Approach, such as behaviour, emotional development and relationships with others. Information will also be held relating to the contact details, employment and training of Members. Such information may include Sensitive Personal Information about the medical needs or learning difficulties of the children. 8.2 Both of us will comply with the applicable requirements of the Data Protection Legislation. 8.3 We both acknowledge that ~~personal data~~ the Subscriber owns the Personal Information provided by the Subscriber. 8.4 The Subscriber warrants that it has all necessary consents in place or has complied with another processing condition. It has the appropriate notices and privacy policies to enable the lawful transfer of Personal Information to Thrive for the duration and for the purposes of this agreement. Such consents to include automated decision making and where appropriate consent to process sensitive Personal Information. 8.5 Thrive shall: (a) act only on written instructions from the Subscriber; (b) have in place appropriate technical and organisational security measures (which may be ~~transferred under this agreement~~ subject to approval by the Subscriber) against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information. Such measures shall be appropriate to the harm that might result from the unauthorised or unlawful processing; (“c) ensure all staff who have access to the Personal ~~Data”~~Information are obliged to keep it confidential; (d) assist the Subscriber to respond to an individual’s request to enforce their rights of access, correction and ~~each party will fully comply~~ any other rights conferred by the Data Protection Legislation; (e) assist the Subscriber if requested with ~~its respective~~ respect to security, breach notifications and any investigations by a supervisory authority; (f) notify the Subscriber without undue delay in the event of a data security breach and assist the Customer with any investigations; (g) maintain and keep up to date the data processing register referred to above; (h) retain the information in accordance with clause 8.11 below and then destroy it; and (i) submit to audits and inspections and provide the Subscriber with whatever information it needs to ensure that they are both complying with their obligations under the ~~General~~ Data Protection ~~Regulation~~ Legislation and inform the Subscriber immediately if they are asked if do something infringing the Data Protection Legislation or other law. 8.6 Thrive has appointed Fronting the Challenge Projects Limited (~~EU)2016/679~~ its parent company in the UK) to carry out processing operation on the Personal Information and ~~applicable complementing national laws (jointly “Privacy Laws”).~~ has entered into a data processing agreement with that company, in compliance with the Data Protection Legislation. 8.7 Thrive shall not appoint any other third-party processor unless that any third-party processor has entered into an agreement with Thrive in compliance with the Data Protection Legislation. 8.8 The ~~parties are independent controllers of their processing operations performed~~ Subscriber shall ensure that it has the necessary consents in place to allow Thrive to produce anonymous data for training, marketing and statistical purposes. 8.9 Thrive will assist with ~~such Personal Data. Taking into account the state~~ any transfer of the ~~art~~details of a child from one Organisation to another. 8.10 If this Agreement will involve or require a transfer of any Personal Information from one country to a country outside the country of origin, ~~the costs of implementation~~ if required by applicable law, Thrive and the ~~nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of~~ Subscriber will enter into a data ~~subjects, Recipient will maintain appropriate technical and organizational measures in such a manner~~ transfer agreement that ~~processing of Personal Data will meet~~ is consistent with the requirements of the ~~Privacy Laws. Recipient agrees to notify Provider within~~ Data Protection Legislation. 8.11 Thrive will retain the Personal Information for a period of ~~48 hours where Recipient becomes aware of~~ twelve years from the last record being created unless otherwise instructed by the Subscriber or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws as required by law. 8.12 The obligations in relation to ~~Personal~~ the Data ~~(including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ Protection Legislation set out in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient this clause shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved be affected by the ~~European Commission. Recipient will not make any effort to identify individuals who are~~ expiry or ~~may be the donors~~ termination of ~~the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor~~this Agreement.

Appears in 1 contract

Sources: Multi User Subscription Services Agreement

Data Protection. The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”)~~ SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CLIENT and ~~each party will fully comply with its respective~~ the SERVICE PROVIDER shall observe their obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~Requirements. ~~The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account~~ Where the ~~state of~~ SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing Processing of Personal Data ~~will meet the requirements~~ on behalf of the ~~Privacy Laws. Recipient agrees to notify Provider within a period~~ CLIENT, it shall: carry out the Processing of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been~~ only in accordance with instructions from the CLIENT (which may be specific instructions or ~~may have been lost, damaged~~ instructions of a general nature as set out in this Contract or ~~subject~~ as otherwise notified by the CLIENT to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ the ~~impact of any such Security Incident. In~~ SERVICE PROVIDER during the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasureTerm); ~~and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with~~ carry out the processing of Personal Data only to the extent, and in such manner, as is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER personnel who have access to the Personal Data; obtain prior written consent from the CLIENT in order to transfer the Personal Data to any Sub-Contractors for the provision of the Ordered Services; ensure that any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 14; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the CLIENT; notify the CLIENT (~~collectively~~within five (5) Working Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the CLIENT’s obligations under the Data Protection Requirements; provide the CLIENT with full cooperation and assistance in relation to any complaint or request made, ~~"Correspondence"~~including by: providing the CLIENT with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the CLIENT’s instructions; providing the CLIENT with any Personal Data it holds in relation to a Data Subject (within the timescales required by the CLIENT); and providing the CLIENT with any information requested by the CLIENT; permit the CLIENT or its representatives (subject to reasonable and appropriate confidentiality undertakings), ~~it shall promptly inform Provider~~ to inspect and audit the ~~parties shall cooperate~~ SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the CLIENT to enable the CLIENT to verify and/or procure that the SERVICE PROVIDER is in ~~good faith as necessary to respond to such Correspondence and fulfill their respective~~ full compliance with its obligations under ~~Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ this Contract; provide a written description of the ~~processing~~ technical and organisational methods employed by the SERVICE PROVIDER for Processing Personal Data (within the timescales required by the CLIENT); and not undertake the Processing of Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory~~ outside of the European Economic Area ~~("EEA") unless~~ without the prior written consent of the CLIENT and, where the CLIENT consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it ~~has taken~~ by the CLIENT. The SERVICE PROVIDER shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this Contract in such ~~measures~~ a way as ~~are necessary~~ to ~~ensure~~ cause the ~~transfer~~ CLIENT to breach any of its applicable obligations under the Data Protection Requirements. The CLIENT may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CLIENT such information as the CLIENT may reasonably require relating to: compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or the rights of Data Subjects, including but not limited to subject access rights. The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CLIENT or its auditors in order to ascertain compliance with the ~~Privacy Laws~~relevant laws of the United Kingdom and the terms of this Contract. ~~Such measures may include transferring~~ With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CLIENT is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to ~~a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization~~ appoint, in accordance with ~~Privacy Laws; or~~ the provisions of Clause 28, a Sub-Contractor to ~~a Recipient that has executed standard contractual clauses adopted or approved~~ assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CLIENT, then, subject always to compliance by the ~~European Commission~~SERVICE PROVIDER with the provisions of Clause 28 relating to the appointment of Sub-Contractors, the CLIENT hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CLIENT’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CLIENT in writing of such appointment and the identity and location of such Sub-Contractor. ~~Recipient will not make~~ The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-7, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-7. Save as set out in this Clause 14, any ~~effort to identify individuals who are~~ unauthorised Processing, use or ~~may~~ disclosure of personal data by the SERVICE PROVIDER is strictly prohibited. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the ~~donors~~ CLIENT against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CLIENT which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the ~~Original Material and may not combine~~ Data Protection Requirements by the SERVICE PROVIDER or ~~results of the Project with other data which may result in identification of a donor~~its employees, servants, agents or Sub-Contractors.

Appears in 1 contract

Sources: Legal Services Framework Agreement

Data Protection. The ~~parties acknowledge that personal data may be transferred under this agreement (“Personal Data”)~~ SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CUSTOMER and ~~each party will fully comply with its respective~~ the SERVICE PROVIDER shall observe their obligations under the ~~General~~ Data Protection ~~Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)~~Requirements. ~~The parties are independent controllers~~ Where the SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the Processing of ~~their processing operations performed with such~~ Personal ~~Data. Taking into account the state~~ Data on behalf of the ~~art~~CUSTOMER, it shall: carry out the ~~costs~~ Processing of ~~implementation~~ Personal Data only in accordance with instructions from the CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the CUSTOMER to the SERVICE PROVIDER during the Term); carry out the Processing of Personal Data only to the extent, and ~~the nature~~in such manner, ~~scope, context and purposes of processing~~ as ~~well as the risk of varying likelihood and severity~~ is necessary for the ~~rights and freedoms~~ provision of ~~data subjects, Recipient will maintain~~ the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and ~~organizational~~ organisational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the ~~requirements~~ harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the ~~Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ Personal Data ~~has been or may have been lost, damaged or subject~~ which is to ~~unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to~~ be protected; take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ SERVICE PROVIDER personnel who have access to the ~~event~~ Personal Data; obtain prior written consent from the CUSTOMER in order to transfer the Personal Data to any Sub-Contractors for the provision of the Ordered Services; ensure that ~~Recipient receives~~ any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 15; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the CUSTOMER; notify the CUSTOMER (iwithin five (5) ~~any~~ Working Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the CUSTOMER’s obligations under the Data Protection Requirements; provide the CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by: providing the CUSTOMER with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the CUSTOMER’s instructions; providing the CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the CUSTOMER); and providing the CUSTOMER with any information requested by the CUSTOMER; permit the CUSTOMER or its representatives (subject to ~~exercise~~ reasonable and appropriate confidentiality undertakings), to inspect and audit the SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the CUSTOMER to enable the CUSTOMER to verify and/or procure that the SERVICE PROVIDER is in full compliance with its obligations under this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients; provide a written description of the technical and organisational methods employed by the SERVICE PROVIDER for Processing Personal Data (within the timescales required by the CUSTOMER); and not undertake the Processing of Personal Data outside the European Economic Area without the prior written consent of the CUSTOMER and, where the CUSTOMER consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the CUSTOMER. The SERVICE PROVIDER shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this Contract in such a way as to cause the CUSTOMER to breach any of its ~~rights~~ applicable obligations under ~~Privacy Laws~~ the Data Protection Requirements. The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in ~~relation~~ such form as is specified in the information notice, to ~~Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to: compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the ~~processing~~ Processing of Personal Data; and/or the rights of Data Subjects, including but not limited to subject access rights. The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients. With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 31, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data ~~(collectively~~on behalf of the CUSTOMER, ~~"Correspondence")~~then, ~~it shall promptly inform Provider and~~ subject always to compliance by the ~~parties shall cooperate in good faith as necessary~~ SERVICE PROVIDER with the provisions of Clause 31 relating to ~~respond~~ the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such ~~Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict~~ Sub-Contractor to undertake the ~~processing~~ Processing of Personal Data ~~identified by Provider~~provided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. ~~Recipient~~ The SERVICE PROVIDER warrants that such appointment shall ~~not transfer~~ be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8. Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of Personal Data to by the SERVICE PROVIDER is strictly prohibited. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a ~~territory outside~~ solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the~~ Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved Protection Requirements by the ~~European Commission~~SERVICE PROVIDER or its employees, servants, agents or Sub-Contractors. ~~Recipient will not make~~ If the SERVICE PROVIDER is responsible for storing any ~~effort to identify individuals who are or may be the donors~~ CUSTOMER data as part of the ~~Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.~~Ordered Services then:

Appears in 1 contract

Sources: Telecommunications

Data Protection. 1. The ~~parties acknowledge that~~ Parties shall comply with all applicable requirements of the Data Protection Laws applicable in respect of any personal data ~~may be transferred~~ processed under this ~~agreement~~ TOBA; and provide such assistance, co-operation and information as is reasonably requested by the other to comply with the Data Protection Laws. 2. The Parties acknowledge that, for the purposes of the Data Protection Laws, they shall each be controllers (as defined in the Data Protection Laws) in common in respect of the personal data obtained (whether directly or indirectly) from data subjects in relation to this TOBA. 3. Parties shall ensure that they process and share personal data (“Shared Personal Data”) fairly and ~~each party will fully comply~~ lawfully in accordance with ~~its respective obligations under the General~~ Data Protection ~~Regulation~~ Laws on the basis that the data subject has unambiguously given his or her consent, or on the basis of some other valid ground provided for in the Data Protection Laws. 4. Where a Party (~~EU)2016/679 and applicable complementing national laws~~ ”Disclosing Party”) discloses personal data to the other(s) (~~jointly~~ “~~Privacy Laws~~Recipient(s)”~~). The parties are independent controllers~~ ) in connection with the operation of ~~their processing operations performed with such Personal Data. Taking into account the state of the art~~this TOBA, the ~~costs of implementation and~~ Disclosing Party will ensure that it obtains all necessary consents from the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, ~~regulator~~ or alternatively discloses the personal data on the basis of some other ~~third party~~ valid ground provided for in ~~connection~~ the Data Protection Laws, so that the personal data it provides to the Recipient(s) can be lawfully used or disclosed by the Recipient(s) in the manner and for the purposes anticipated by this ▇▇▇▇. 5. You shall, in respect of Shared Personal Data, ensure that fair processing notices are provided to data subjects in accordance with the Data Protection Laws, including that they are clear and provide sufficient information to the data subjects for them to understand what personal data you are sharing with us, the circumstances in which it will be shared, the purposes for the data sharing, either the identity of us or a description of the type of organisation(s) that will receive the personal data (such type of organisation to include us) and such other information as we may reasonably require. The information provided by you to the Data Subject shall be detailed enough that the obligations to provide fair processing information pursuant to Data Protection Laws is complied with and that we need not provide any further information to the Data Subject in order to comply with Data Protection Laws in respect of the processing of Personal Data ~~(collectively~~in the manner and for the purposes anticipated by this TOBA. 6. You shall indemnify Onsi on demand against any and all losses, ~~"Correspondence")~~liabilities, it claims, proceedings, settlement, damages, costs, regulatory fines and expenses arising out of or in connection with any breach by us of our obligation set out in this Appendix 2. 7. The Disclosing Party shall promptly ~~inform Provider~~ provide such information and documentation as the ~~parties shall cooperate in good faith as necessary~~ Recipient(s) may reasonably request from time to ~~respond~~ time to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in evidence its compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Appendix 2.

Appears in 1 contract

Sources: Terms of Business Agreement

Data Protection. ~~The parties acknowledge~~ In this clause, "Data Protection Laws" means all privacy laws applicable to any Personal Data processed under or in connection with the Agreement, including, without limitation, the General Data Protection Regulation 2016/679 (the "GDPR"), the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications ("ePrivacy Regulation"), and all national legislation implementing or supplementing the foregoing, all as amended, re- enacted and/or replaced and in force from time to time; To the extent that a party acts a data processor ("Processor") acts on behalf the other party acting as a data controller ("Controller") in respect of any personal data ~~may be transferred under this agreement~~ comprised in the Customer Data (“Personal Data”) ~~and each party will fully comply with its respective obligations under~~ are defined in the ~~General~~ Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artLaws , the ~~costs of implementation~~ Processor shall ensure that: (i) unless required to do otherwise by applicable Data Protection Laws, it shall (and shall take steps to ensure each person acting under its authority shall) process the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data ~~will meet~~ only on and in accordance with the ~~requirements of~~ Controller’s documented instructions as set out in Schedule 1 (Data Processing Details), as updated from time to time by agreement between the ~~Privacy Laws. Recipient agrees~~ parties; (ii) persons authorised by the Processor to ~~notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that~~ process the Personal Data ~~has been~~ have committed themselves to confidentiality or ~~may have been lost~~are under an appropriate statutory obligation of confidentiality; (iii) if Data Protection Laws require it, ~~damaged or subject~~ to ~~unauthorized internal or external access or any~~ process Personal Data other ~~unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate~~ than in accordance with Schedule 1, it shall notify the ~~impact~~ Controller of any such ~~Security Incident. In~~ requirement before processing the ~~event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to~~ Personal Data (~~including its rights~~ unless applicable law prohibits such information on important grounds of ~~access~~public interest); (iv) it informs the Controller of any addition, ~~correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator~~ replacement or other ~~third party in connection~~ changes of Sub-processors and provide the Controller with the ~~processing~~ opportunity to reasonably object to such changes on legitimate grounds. The Controller acknowledges that these Sub-processors are essential to provide the Services and that objecting to the use of ~~Personal Data (collectively~~a Sub-processor may prevent the Processor from offering the Services to the Controller. The Processor will enter into a written agreement with the Sub- processor imposing on the Sub-processor obligations comparable to those imposed on the Processor under this Agreement, ~~"Correspondence")~~including appropriate data security measures. In case the Sub-processor fails to fulfil its data protection obligations under such written agreement with the Processor, ~~it shall promptly inform Provider and~~ that Processor will remain liable towards Controller for the ~~parties shall cooperate in good faith~~ performance of the Sub-processor’s obligations under such agreement. By way of this Agreement, the Controller provides general written authorization to the Processor to engage Sub-processors as necessary to ~~respond to such Correspondence and fulfill their respective obligations under Privacy Laws~~perform the Services; including those listed in Vendor's privacy policy. ~~Upon Provider’s request, Recipient shall restrict~~ “Sub-processor” means another data processor engaged by the Processor for carrying out processing activities in respect of the Personal Data ~~identified by Provider. Recipient shall not transfer any Personal Data to a territory outside~~ on behalf of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Controller;

Appears in 1 contract

Sources: Master Services Agreement

Data Protection. 32.1 The ~~parties acknowledge~~ Grant Recipient warrants and represents that ~~personal data may be transferred~~ it has obtained all necessary registrations, notifications and consents required by the DPA to Process Personal Data for the purposes of performing its obligations under this ~~agreement~~ Agreement. 32.2 The Grant Recipient undertakes that to the extent that the Grant Recipient and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the GLA (“the GLA’s Personal Data”) ~~and each party~~ for the purpose of performing its obligations under this Agreement it will ~~fully~~ at all times comply with ~~its respective obligations under~~ the ~~General~~ provisions of the DPA for the time being in force, including without limitation the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Principles set out in Schedule 1 of the ~~art~~DPA. In particular, the ~~costs of implementation~~ Grant Recipient agrees to comply with the requirements and obligations imposed on the ~~nature, scope, context~~ Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 32.2.1 the Grant Recipient shall at all material times have in place and ~~purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will~~ maintain appropriate technical and ~~organizational~~ organisational security measures ~~in such a manner that processing~~ designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the GLA’s Personal Data and any person it authorises to have access to any the GLA’s Personal Data will ~~meet~~ respect and maintain the confidentiality and security of the GLA’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the GLA, when performing its obligations under this Agreement on the GLA’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 32.2.2 the Grant Recipient shall only process Personal Data for and on behalf of the GLA for the purpose of performing its obligations under this Agreement in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written instructions from the GLA to ensure compliance with the DPA; 32.2.3 the Grant Recipient shall allow the GLA to audit the Grant Recipient's compliance with the requirements of this Condition 32 on reasonable notice and/or, at the ~~Privacy Laws.~~ GLA’s request, provide the GLA with evidence of the Grant Recipient's compliance with the obligations within this Condition 32. 32.3 The Grant Recipient ~~agrees~~ undertakes not to ~~notify Provider within a period~~ disclose or transfer any of ~~48 hours where Recipient becomes aware of or reasonably suspects that~~ the GLA’s Personal Data ~~has been~~ to any third party without the prior written consent of the GLA save that without prejudice to Condition 32.2 the Grant Recipient shall be entitled to disclose the GLA’s Personal Data to employees to whom such disclosure is reasonably necessary in order for the Grant Recipient to performing its obligations under this Agreement, or ~~may have been lost, damaged or subject~~ to ~~unauthorized internal or external access or any other unlawful processing (~~the extent required under a ~~“Security Incident”) and to~~ court order. 32.4 The Grant Recipient shall: 32.4.1 take reasonable steps to ~~mitigate~~ ensure the ~~impact~~ reliability of any ~~such Security Incident. In~~ Grant Recipient Party who has access to the ~~event~~ Personal Data; 32.4.2 ensure that any Grant Recipient ~~receives (i)~~ Party required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition 32; 32.4.3 ensure that none of any ~~request from a data subject to exercise~~ Grant Recipient Party publish, disclose or divulge any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to ~~a territory outside of the European Economic Area ("EEA")~~ any third party unless ~~it has taken such measures as are necessary~~ directed in writing to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.GLA;

Appears in 1 contract

Sources: Framework Delivery Agreement

Data Protection. a) The parties ~~acknowledge~~ agree that ~~personal data may be transferred under this agreement (“Personal Data”) and each party will fully~~ they shall comply with ~~its respective obligations under~~ the UK General Data Protection Regulation (~~EU)2016/679~~ “UK GDPR”) and ~~applicable complementing national laws~~ the Data Protection Act 2018, along with any associated guidance and codes of practice as issued from time to time (~~jointly~~ collectively “~~Privacy Laws~~Data Protection Legislation”). ) with respect to the Services. b) For the purposes of this Section 16: Data Controller, Data Subjects, Personal Data and Processing shall have the meaning as provided in the Data Protection Legislation c) The parties ~~are~~ agree that they will each act in the capacity of Data Controller in respect of the Personal Data processed under this Agreement and each will Process the Personal Data as independent ~~controllers~~ Data Controllers. d) The parties (including their employee’s agents or officers) shall at all times during the period of this Agreement comply with the provisions and obligations imposed by this Section 16 and the Data Protection Legislation generally, including any requirement to obtain registrations, consents, and provide notifications and relevant privacy information to Data Subjects as required for the purposes of their ~~processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation~~ obligations under this Agreement. e) The parties warrant and ~~the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain~~ represent that they each have in place appropriate technical and organizational measures ~~in such a manner that processing of~~ to protect the Personal Data ~~will meet~~ against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the ~~requirements~~ risk represented by the processing and the nature of the ~~Privacy Laws. Recipient agrees~~ data to be protected. f) Each party shall notify ~~Provider within a period of 48 hours where Recipient becomes~~ the other without undue delay on becoming aware of ~~or reasonably suspects that Personal~~ any breach of the Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Protection Legislation in relation to the Personal Data ~~(including its rights of access~~Processed under this Agreement. g) Whilst each party shall be responsible for responding to any complaint in relation to the Personal Data Processed pursuant to this Agreement, ~~correction~~or any request by individuals to exercise the Data Subject's Rights, ~~objection~~ the parties will co-operate with each other and ~~erasure); and (ii)~~ provide reasonable assistance with any ~~other correspondence~~request, proceedings or inquiry ~~or complaint received from a data subject, regulator~~ by any affected Data Subject and/or the Information Commissioner or other ~~third party~~ body authorized by statute which are concerned with the Data Protection Legislation in connection with data processed under this Agreement. h) The provisions of this Section 16 shall apply during the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside continuance of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material Agreement and ~~may not combine Data or results of the Project with other data which may result in identification of a donor~~indefinitely after its termination.

Appears in 1 contract

Sources: Consulting Services Agreement

Data Protection. The ~~parties acknowledge~~ Servicer represents that ~~personal data~~ as at the date hereof the Servicer has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇▇ons under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Servicer and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Servicer to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Servicer may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Servicer transfer inter alia personal data to the Mortgages Trustee, the Servicer shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Servicer may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Servicer transfer inter alia personal data to the Mortgages Trustee, the Servicer notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Servicer and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Servicer will inform such Borrower that both the Servicer and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Servicer and ▇▇▇ ▇▇▇▇gages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 1 contract

Sources: Administration Agreement (Granite Finance Trustees LTD)

Data Protection. ~~The parties acknowledge that personal data may be transferred under~~ 36.1 In this ~~agreement (~~Agreement the terms “Personal Data”, “Data Processor”, “Data Subject”, “Process” and “Data Controller” are as defined in the Data Protection Act 1988 (“Act”) ~~and each party will fully~~ or the GDPR or other data protection legislation in force in the UK from time to time. Each Party shall comply with its respective obligations under the ~~General~~ provisions of the Act. 36.2 The Data ~~Protection Regulation (EU)2016/679~~ Controller shall be determined in accordance with the Act. 36.3 Insofar as ADAPTIMMUNE provides or otherwise makes available Personal Data to Catapult and ~~applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with~~ such Personal ~~Data. Taking into account~~ Data is Processed by Catapult, or if Catapult is required to Process Personal Data in connection with this Agreement; Catapult shall (a) keep such Personal Data strictly confidential; (b) only distribute to employees of Catapult to the ~~state~~ extent such employees require access to such Personal Data for the performance of the ~~art~~Agreement; (c) not transfer such Personal Data to any third party (including any sub-contractor) without the prior written approval of ADAPTIMMUNE; outside of the EU; (e) only transfer Personal Data outside of the EU with the prior written consent of ADAPTIMMUNE; (f) only Process the Personal Data for purposes authorised by ADAPTIMMUNE and in accordance with any instructions provided by ADAPTIMMUNE (and for clarity, any purpose set out in this Agreement will be deemed to meet this requirement to the ~~costs of implementation and the nature, scope, context and purposes of~~ extent processing ~~as well as the risk of varying likelihood and severity~~ is require for the ~~rights~~ performance of that purpose); and ~~freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in~~ (g) keep such ~~a manner that processing of~~ Personal Data ~~will meet~~ secure in accordance with the requirements of the ~~Privacy Laws~~Act and the principles articulated in the Act. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) Should Catapult receive any request from a ~~data subject to exercise any of its rights under Privacy Laws~~ Data Subject in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data provided by ADAPTIMMUNE, Catapult shall immediately pass on such Data Subject request to ~~a territory outside of~~ ADAPTIMMUNE. 36.4 To the ~~European Economic Area ("EEA") unless it has taken such measures as are necessary~~ extent required under data protection legislation, each Party will permit and assist the other to ~~ensure the transfer is in compliance with the Privacy Laws~~carry out any privacy impact assessments or other data protection assessments reasonably required under data protection legislation. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved AGREED by the ~~European Commission. Recipient will not make any effort to identify individuals who are or may be~~ parties through their duly authorised representatives on the ~~donors~~ date written at the start of this Agreement: SIGNED for and on behalf of: SIGNED for and on behalf of: Signature: /s/ ▇▇▇▇▇▇▇ ▇▇▇▇▇ Signature: /s/ ▇▇▇▇▇ ▇▇▇▇▇ Name: ▇▇▇▇▇▇▇ ▇▇▇▇▇ Name: ▇▇▇▇▇ ▇▇▇▇▇ Title: CBO Title: CEO A. Development and operation of ADAPTIMMUNE Manufacturing Process for the ~~Original Material~~ production of ADAPTIMMUNE Product B. Development and ~~may not combine Data or results of the Project with other data which may result in identification~~ operation of a ~~donor.~~multi-product manufacturing centre and its associated quality management system C. Development and operation of a supply and distribution chain

Appears in 1 contract

Sources: Collaboration Agreement (Adaptimmune Therapeutics PLC)

Data Protection. (a) The ~~parties acknowledge that personal~~ Company is compliant with all applicable data ~~may be transferred under this agreement (“Personal Data”)~~ protection laws and ~~each party will fully comply~~ has complied in all material respects with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all relevant requirements of the Data Protection ▇▇▇ ▇▇▇▇ and the Privacy ~~Laws. Recipient agrees to notify Provider within a period~~ and Electronic Communications (EC Directive) Regulations 2003 (including all binding codes of ~~48 hours where Recipient becomes aware of~~ practice and guidance issued by the UK Information Commissioner thereunder) (or ~~reasonably suspects that Personal~~ equivalent legislation applicable in other jurisdictions) (Data ~~has been or may have been lost~~Protection Legislation), ~~damaged or subject to unauthorized internal or external access or any other unlawful processing~~ including (~~a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives~~ without limitation): (i) informing data subjects of the identity of the data controller, its nominated representative, the uses made of the data and any ~~request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data~~ potential disclosures and obtaining their consent (~~including its rights of access, correction, objection and erasure); and (ii~~if necessary) ~~any other correspondence, inquiry or complaint received from a data subject, regulator or other third party~~ in connection with the processing of ~~Personal Data~~ personal data; (~~collectively~~ii) having in place appropriate technical and organisational measures against the accidental or unauthorised destruction, ~~"Correspondence")~~loss, ~~it shall promptly inform Provider~~ alteration or disclosure of personal data and ~~the parties shall cooperate~~ procedures to ensure that unauthorised persons do not have access to any equipment used to process such data; (iii) having in ~~good faith as necessary~~ place appropriate systems to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer identify which individuals have instructed any ~~Personal Data to a territory outside~~ member of the ~~European Economic Area~~ Group that they do not wish to receive marketing information and comply with such instructions; (~~"EEA"~~iv) ~~unless it has taken such measures as are necessary~~ responding to ~~ensure~~ requests from data subjects for access to data held by it; and (v) the ~~transfer is~~ requirements relating to the registration of data controllers. (b) The Company operates fully in compliance with its data protection policies and data protection manuals (attached to the ~~Privacy Laws. Such measures may include transferring~~ Disclosure Letter). (c) No individual has claimed in writing to the Company, and as far as the Warrantors are aware no grounds exist for any data subject to make a valid claim for compensation from any member of the Group under the Data ~~to a country that the European Commission has decided provides adequate protection~~ Protection Legislation for ~~personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws;~~ loss or ~~to a Recipient that has executed standard contractual clauses adopted~~ unauthorised disclosure of data or ~~approved by the European Commission. Recipient will not make~~ for any ~~effort to identify individuals who are or may be the donors~~ contravention of any of the ~~Original Material and may not combine Data or results~~ requirements of the ~~Project~~ Data Protection Legislation. (d) The Company has not received a written notice or written allegation from either the Information Commissioner (or the equivalent in any applicable jurisdiction) or a data subject alleging non-compliance with the data protection principles or any other provisions of the Data Protection Legislation. (e) So far as the Warrantors are aware, the Company has in the 18 month period immediately preceding the date of this Agreement complied in all material respects with Payment Card Industry Data Security Standard, Payment Application Data Security Standard and all applicable Regulations concerning data ~~which may result in identification of a donor~~security.

Appears in 1 contract

Sources: Share Purchase Agreement (Stream Global Services, Inc.)

Data Protection. The ~~parties acknowledge~~ Administrator represents that ~~personal data~~ as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective o▇▇▇▇▇▇▇▇ns under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred ~~under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under~~ by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other ~~unlawful processing~~ entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ ▇uropean Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a ~~“Security Incident”~~"data controller" (as defined in the Data Protection Act 1998) and ~~to take reasonable steps to mitigate~~ provide each such Borrower with the ~~impact~~ address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any ~~such Security Incident. In the event that Recipient receives (i) any request from a~~ data ~~subject to exercise any of its rights under Privacy Laws~~ in relation to ~~Personal Data (including its rights~~ the Mortgage Loans and the related Borrowers for the purposes of ~~access~~administering and/or managing the Mortgage Portfolio, ~~correction, objection~~ and ~~erasure); and (ii)~~ will not sell such data to any ~~other correspondence, inquiry or complaint received from a data subject, regulator or other~~ third party ~~in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary~~ or allow any third party to ~~respond to~~ use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the ~~Privacy Laws. Such measures may include transferring~~ conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data ~~to a country that~~ Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the ~~Original Material and may~~ Data Protection Act 1998 do not ~~combine Data or results~~ conflict with the provisions of the ~~Project~~ Data ▇▇▇▇▇▇▇ion (Jersey) Law 1987) with ~~other data which may result in identification~~ the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a ~~donor~~Borrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and ▇▇▇ ▇▇▇tgages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Appears in 1 contract

Sources: Administration Agreement (Granite Mortgages 04-2 PLC)

Common use of Data Protection Clause in Contracts