PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of this Schedule 2 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es of data subjects. The parties may amend paragraph 3 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to paragraph 2.4 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreement. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 to this Schedule 2 and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or (b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. Upon discovering a Personal Data Breach in respect of the Customer Data, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority and data subjects, taking into account the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us. 2.11. Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your personal data and all copies thereof to You in accordance with the relevant Exit Policy. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- infringing or amend Your instructions to make them non-infringing and notify Us accordingly. 2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.
Appears in 1 contract
Sources: Framework Agreement
PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of Annex 1 to this Schedule 2 1 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es categories of data subjects. The parties may amend paragraph 3 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary.
2.2. Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. Subject to paragraph 2.4 6 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘'written instructions’ ' for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation1.
2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreementdata.
2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 Annex 2 to this Schedule 2 and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement.
2.7. We may engage such other processors (“"Sub Processors”") as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule paragraphs 2.3 to 2.6 inclusive and We shall remain responsible and liable for Sub Processors’ Processor's acts and omissions in connection with this Agreementomissions.
2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or and/or
(b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. Upon discovering a Personal Data Breach in respect of the Customer DataBreach, We shall notify You without undue delay and within 72 hours and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority Supervisory Authority and data subjects, taking into account the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact impact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultationassessment. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us.
2.11. Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your your personal data and all copies thereof to You you (in accordance with a format that is supported by the relevant Exit PolicySoftware) provided you make that request to us in writing within 10 days of the date of termination, after which we shall delete such data.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basisYou.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es infringes Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- non-infringing or amend Your instructions to make them non-infringing and notify Us accordingly.
2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.
Appears in 1 contract
Sources: Software Access Terms and Conditions
PROCESSOR CLAUSES. 2.1. 2.1 In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of Annex 1 to this Schedule 2 1 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es categories of data subjects. The parties may amend paragraph 3 Annex 1 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary.
2.2. 2.2 Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. 2.3 Subject to paragraph 2.4 6 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) Economic Area without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation1.
2.4. 2.4 We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. 2.5 We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreementdata.
2.6. 2.6 We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 Annex 2 to this Schedule 2 and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement.
2.7. 2.7 We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule paragraphs 2.3 to 2.6 inclusive and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreementomissions.
2.8. 2.8 In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and within 72 hours and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or and/or (b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. 2.9 Upon discovering a Personal Data Breach in respect of the Customer DataBreach, We shall notify You without undue delay and within 72 hours and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority Supervisory Authority and data subjects, taking into account the nature of processing and the information available to Us.
2.10. 2.10 In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact impact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultationassessment. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us.
2.11. 2.11 Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your personal data and all copies thereof to You in accordance with the relevant Exit PolicyYou.
2.12. 2.12 Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basisYou.
2.13. 2.13 In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es infringes Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- non-infringing or amend Your instructions to make them non-infringing and notify Us accordingly.
2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.
Appears in 1 contract
Sources: Saas Agreement
PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of Annex 1 to this Schedule 2 Addendum 1 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es categories of data subjects. The parties may amend paragraph 3 Annex 1 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 Annex 1 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 Annex 1 and review Paragraph 4as Annex 2 as necessary.
2.2. Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. Subject to paragraph 2.4 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 Addendum 1 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data (and We shall notify You of such safeguards) and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation.
2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreement.
2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 Annex 2 to this Schedule 2 Addendum and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement.
2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreementomissions.
2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or (b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.,
2.9. Upon discovering a Personal Data Breach in respect of the Customer DataBreach, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority Supervisory Authority and data subjects, taking into account the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact impact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us.
2.11. Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your personal data and all copies thereof to You in accordance with the relevant Exit PolicyYou.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- infringing or amend Your instructions to make them non-infringing and notify Us accordingly.
2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.paragraphs
Appears in 1 contract
Sources: Framework Agreement
PROCESSOR CLAUSES. 2.1. 2.1 In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of Annex 1 to this Schedule 2 Addendum 1 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es categories of data subjects. The parties may amend paragraph 3 Annex 1 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessaryAgreement.
2.2. 2.2 Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. 2.3 Subject to paragraph 2.4 6 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) Economic Area without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection LegislationAddendum 1.
2.4. 2.4 We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. 2.5 We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreementdata.
2.6. 2.6 We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 Annex 2 to this Schedule 2 Addendum and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement.
2.7. 2.7 We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement Agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement Agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule paragraphs 2.3 to 2.6 inclusive and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreementomissions.
2.8. 2.8 In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without within undue delay and within 72 hours and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or (b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. Upon discovering a Personal Data Breach in respect of the Customer Data, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority and data subjects, taking into account the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us.
2.11. Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your personal data and all copies thereof to You in accordance with the relevant Exit Policy.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- infringing or amend Your instructions to make them non-infringing and notify Us accordingly.
2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.and/or
Appears in 1 contract
Sources: Saas & Supply of Services Agreement
PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor and You are the controller of such personal data. Paragraph 3 of this Schedule 2 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categori es categories of data subjects. The parties may amend paragraph 3 from time to time by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary.
2.2. Each party shall comply with its obligations under applicable Data Protection Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. Subject to paragraph 2.4 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without Your consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data (and We shall notify You of such safeguards) and ensure that the relevant data subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation.
2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality in respect of such personal data as set out in Clause 6 of the Agreement.
2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. The security measures are set out in paragraph 4 to this Schedule 2 and You warrant that You have reviewed such security measures and consider them appropriate in the context of the processing of Your personal data as anticipated by the Agreement.
2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including in connection with support, maintenance and development, staff augmentation and the use of third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace that Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the addition or replacement of such Sub Processors and You may, on reasonable grounds, object to a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification, giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall require all Sub Processors to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreementomissions.
2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts, to assist You in fulfilling Your obligations as controller without undue delay and in any event within 5 days following written request from You provided that We may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation)and/or (b) charge You on a time and materials basis in the event that we consider, in our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. Upon discovering a Personal Data Breach in respect of the Customer Data, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with notification to the applicable supervisory authority and data subjects, taking into account the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy im pact assessment or prior consultation with a supervisory authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Us.
2.11. Unless otherwise required by applicable law, following termination or expiry of the Agreement We shall, at Your option, delete or return all Your personal data and all copies thereof to You in accordance with the relevant Exit Policy.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing paragraphs 2.3 to 2.11 inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infring es Data Protection Legislation We shall inform You immediately and You shall assess your instructions and Data Protection Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non- infringing or amend Your instructions to make them non-infringing and notify Us accordingly.
2.14. In the event that either party considers it reasonably necessary to amend this Schedule as a result of any changes in law relating to the protection or treatment of personal data, such party shall notify the other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule to ensure compliance with such law.,
Appears in 1 contract
Sources: Framework Agreement