Processor responsibilities Clause Samples

Processor responsibilities. Data Processors are listed in Appendix 3 ‘Data Processing Statement and Approval to Process’ which also sets out the processors’ commitments.

Processor responsibilities. 2.1 To the extent that IDVerse processes Personal Data on behalf of Client, IDVerse shall comply with the requirements of this clause 2 of this Annexure 1. 2.2 The scope of the Personal Data processing carried out by IDVerse under this Licence Agreement is restricted to such processing as is required for IDVerse in connection with the Product and the Services and for the duration of this Licence Agreement. The types of Personal Data that may be processed are as described in Annexure 2. 2.3 IDVerse confirms that, when acting as processor for the Client in relation to Personal Data, IDVerse shall: i. only process Personal Data on the documented instructions of the Client (which shall include the provision of Services under this Licence Agreement) unless required to process that Personal Data for other purposes by Law. Where such a requirement is placed on IDVerse it shall provide prior notice to the Client unless the relevant law prohibits the giving of notice on important grounds of public interest; ii. not sell (as “sell” is defined by Data Protection Legislation with respect to Personal Data) the Personal Data or share the Personal Data for targeted advertising purposes except as instructed by the Client;

Processor responsibilities. Data Processors are listed in the ICR/PHM security statement that accompanies this agreement. All contracted processors are required to meet the following commitments (BSW CCG holds the processor contract(s) on behalf of all partners, who are identified as beneficiaries of the contract):  Share an annual audit of their compliance with the programme and partners. The baseline standard will be achievement of ‘standards met’ in the Data Security and Protection Toolkit (DSPT). Where a processor has other accreditations related to data protection and information security, these will be expected to be maintained. For Graphnet this will consist of confirmation of their compliance with ‘standards met’ in the Data Security & Protection Toolkit and maintaining compliance with ISO27001 and Cyber Essentials Plus accreditations.  Have a Data Protection Officer.  Ensure all their staff are appropriately trained in information governance requirements related to their role, by completing the training needs assessment required by the DSPT and providing training identified by that.  Comply with GDPR article 32 by having appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction/damage to personal data – these are determined by the risks and countermeasures in the Data Protection Impact Assessment and set out in the system security statement.  Will ensure all processing activities maintain the accuracy of data processed  Will not sub contract any processing activities to another party without prior informing and consent of the relevant controller(s).  Will not relocate any processing operation outside the UK without prior consultation and approval from the relevant controller(s).  Will only process personal data on the written instruction of the controller(s). In terms of the data processing activities for Graphnet, these are defined in the contract held by BSW CCG on behalf of the health community, with partner organisations identified as beneficiaries.

Processor responsibilities. 3.1 Processor will not Process any Personal Data on behalf of Controller except upon its documented instructions and consistent with the stated Nature and Purpose of the Processing (as set forth in the attached Appendix A), or as required by applicable law and following reasonable notice to Controller (where legally permitted). Controller hereby instructs Processor to Process Personal Data to provide Services in accordance with the Agreement and this DPA. 3.2 Processor shall inform Controller immediately if Processor has a good faith belief that an instruction violates GDPR or other applicable law. Processor shall then be entitled to suspend execution of the relevant instructions until Controller confirms or changes them to comply with applicable law.