Common use of Processing and security Clause in Contracts

Processing and security. 3.1. The Company shall only process the types of Personal Data, and only in respect of the categories of Data Subjects and types of processing, set out in the Appendix or as otherwise notified by Client. 3.2. In processing the Client Personal Data, the Company shall: 3.2.1 process Client Personal Data only in accordance with Client’s written instructions from time to time unless required to do so by European Union or EU member state law; 3.2.2 not process the Client Personal Data for any purpose other than those set out in this Addendum or otherwise expressly authorised by Client; 3.2.3 notify Client within 24 hours if it receives a Data Subject Request in respect of Client Personal Data; 3.2.4 provide Client with its full co-operation and assistance in relation to any Data Subject Request; 3.2.5 not disclose any Client Personal Data to any Data Subject or to a third party other than at the written request of Client; 3.2.6 clearly mark or identify Client Personal Data as belonging to Client; 3.2.7 protect the Client Personal Data by ensuring that it meets the requirements of Data Protection Laws and that the protection of the rights of Data Subjects under Data Protection Laws are ensured, including: (1) ensuring that any computer system on which personal data is stored or processed is controlled by password which is kept confidential; and (2) measures to protect the personal data against the risks of a security breach; and 3.2.8 ensure that only persons authorised process Client Personal Data. 3.3. The Company shall, without undue delay and in any event within 24 hours, in the event of any failure or defect in security that leads, or might reasonably be expected to lead, to a Security Breach (together a “Security Issue”) notify Client. 3.4. Where a Security Issue arises, the Company shall: 3.4.1 as soon as reasonably practicable, provide Client with full details of the Security Issue, the actual or expected consequences of it, and the measures taken or proposed to be taken to address or mitigate it; 3.4.2 co-operate with Client, and provide Client with all reasonable assistance in relation to the Security Issue; and 3.4.3 unless required by applicable law, not make any notifications to a DP Regulator or Data Subjects about the Security Issue without Client prior written consent (not to be unreasonably withheld or delayed).