PROCESSOR’S GENERAL OBLIGATIONS Clause Samples

PROCESSOR’S GENERAL OBLIGATIONS. 3.1 The Processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3.2 The Processor shall implement appropriate technical and organisational measures to prevent that the personal data processed is (i) accidentally or unlawfully destroyed, lost or altered, (ii) disclosed or made available without authorisation, or (iii) otherwise processed in violation of applicable laws, including the GDPR. 3.3 The Processor must also comply with any special data security requirements that apply to the Controller, e.g as potentially outlined in Annex 1 or as otherwise required by the Controller, and with any other applicable data security requirements that are directly incumbent on the Processor; including the data security requirements in the country of establishment of the Processor or in the country where the data processing will be performed. 3.4 The appropriate technical and organisational security measures must be determined with due regard for (i) the current state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 3.5 The Processor shall upon request provide the Controller with sufficient information to enable the Controller to ensure that the Processor complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented. 3.6 The Processor must give authorities who by Union or member state law have a right to enter the Controller's or the Controller's supplier's facilities, or representatives of the authorities, access to the Processor's physical facilities against proper proof of identity. 3.7 The Processor must without undue delay after becoming aware of the facts in writing notify the Controller about: (i) any request for disclosure of personal data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law, (ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Processor under the Agreement, or (b) other material failure to comply with the Processor's obligati...

PROCESSOR’S GENERAL OBLIGATIONS a. The Processor processes Controller Data exclusively on behalf of and in accordance with the Main Agreement and/or in compliance with additional instructions issued by the Controller, if necessary. b. Excluded from this is compliance with mandatory European or Member State legislation (e.g. in the case of investigations by authorities/law enforcement) which require the Processor to oblige and change the processing. c. The contractually agreed service is provided exclusively in a member state of the European Union or in a state party to the Agreement on the European Economic Area. Any transfer of the service or partial work to a third country requires the prior consent of the Controller and may only occur if the special conditions of Art. 44 (ff.), GDPR are fulfilled, in order to ensure an adequate data protection level. d. The Processor will inform the Controller immediately should he deem any instruction issued by the Controller in violation with legal requirements. The Processor is entitled to suspend implementation of Controller instructions until these instructions are revised or confirmed by the Controller. The Processor is entitled to refuse execution of an evidently unlawful instruction. The Processor may suspend data processing if he can demonstrate that complying with Controller instructions may result in liability of the Processor under Art. 82, GDPR, until liability between the parties clarified. e. The Processor has obliged all personnel engaged in the processing of Controller Data to confidentiality. f. The Processor has taken all appropriate technical and organizational measures in accordance with Article 32, GDPR, to ensure a level of protection appropriate to the risk of Controller Data. For the provision of services, the IT infrastructure of a subcontractor (see point 5) will be utilized. Further information can be found in (Annex 2 and 3 ).