Common use of PROCESSING OBLIGATIONS Clause in Contracts

PROCESSING OBLIGATIONS. To the extent a Servicing Party Processes any Personal Data on behalf of a Receiving Party in connection with the Services, such Servicing Party agrees as follows: 3.1. The Servicing Party will Process Personal Data solely for the purposes of performing the Services under the Master Agreement. 3.2. The Servicing Party will Process Personal Data solely on the basis of and in compliance with documented instructions issued by Receiving Party from time to time. If applicable law requires the Servicing Party (or, for the avoidance of doubt, any Sub-Processor) to conduct Processing inconsistent with any of the Receiving Party’s instructions, or if the Servicing Party believes that any instruction from the Receiving Party is in violation of, or would result in a violation of applicable law, the Servicing Party will promptly notify the Receiving Party thereof prior to commencing the Processing. 3.3. The Servicing Party will keep all Personal Data confidential and impose legally binding confidentiality and information security obligations on any personnel, contractor, Sub-Processor, or other third party that Process or otherwise have access to Personal Data; such obligations will meet or exceed the requirements set forth in applicable law and will survive the termination of the employment relationship. 3.4. The Servicing Party will not obtain any rights or title to any Personal Data by virtue of providing the Services, and may not determine the purposes for which Personal Data it receives under the Master Agreement may be Processed or otherwise used. 3.5. Where the Servicing Party, in accordance with the Agreement, engages a Sub-Processor for carrying out specific Processing activities, the Servicing Party must enter into a written agreement with the Sub-Processor that imposes the same data protection obligations and restrictions as set forth in this Appendix on the Sub-Processor. Such agreement must provide sufficient guarantees to implement appropriate technical and organizational measures such that the Processing will meet the requirements of applicable law including the Regulation. 3.6. At any time upon the Receiving Party’s request, the Servicing Party will make available a list of all Sub-Processors that Process or may Process Personal Data in connection with the Services. This list shall also specify all geographic locations where Processing by such enumerated Sub-Processors may take place. The Servicing Party will inform Discover of any intended changes concerning the addition or replacement of Sub-Processors. The Receiving Party may object to such change(s) if the Receiving Party believes the new Sub-Processor represents an unacceptable risk to the protection of Personal Data. Irrespective of the Receiving Party’s objection to (or lack of objection to) Sub-Processors engaged by the Servicing Party, the Servicing Party agrees it is liable to the Receiving Party for the acts and omissions of its Sub-Processors to the same extent that the Servicing Party would be liable if performing the services and/or Processing of each Sub-Processor directly.