The Data Controller and the Data Processor. a. The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data in accordance with the terms and conditions of the Agreement, this DPA, and any other written instructions from the Data Controller to which the Data Processor has agreed. The Data Processor will limit Personal Data collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the contracted business purposes. b. The Data Processor will only process the Personal Data on documented instructions of the Data Controller in such manner as, and to the extent that, is necessary for the provision of Services, except as may be otherwise required for compliance with applicable laws, including, but not limited to, EU Data Protection Law and the CCPA, save that the Data Processor may process Personal Data in aggregated or anonymised form to evaluate the effectiveness of or means of improving its products and services. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller violates EU Data Protection Law or the CCPA. c. The Data Processor will not collect, use, retain, disclose or otherwise make Personal Data available for its own commercial purposes or in a way that does not comply with the CCPA. The Data Processor will not sell the Personal Data. d. The Data Processor will promptly comply with any Data Controller request or instruction requiring Data Processor to provide, amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorized processing. e. The Data Controller represents and warrants that it has all necessary rights to provide the Personal Data to Data Processor for the processing to be performed in relation to the Services. To the extent required, Data Controller is responsible for ensuring that any necessary data subject consents to the processing of Personal Data by Data Processor are obtained and for ensuring that a record of such consents is maintained by the Data Controller. f. If the contracted business purposes of the Agreement require the collection of Personal Data from individuals on Data Controller’s behalf, Data Processor will, with regard to any Personal Data collected from residents of California, provide a CCPA-compliant, Data Controller-approved notice addressing use and collection methods. g. The Data Processor shall provide that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. h. Both Parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information collected from residents of California.
Appears in 2 contracts