Common use of Protection of Information Clause in Contracts

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer Personal Data. The Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3Error: Reference source not found, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3Error: Reference source not found, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or

Protection of Information. The provisions of this Clause CO-3FW-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions Protection of this Clause CO-3Personal Data With respect to the Parties' rights and obligations under the Contract, shall apply during the Call-Off Agreement Period Parties agree that the Client is the Data Controller and for such time as that the Supplier holds Solicitor is the Customer Data Processor in relation to the Client’s Personal Data. The Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier Solicitor shall: Process Service the Client’s Personal Data only in accordance with written instructions from the Customer Client (which may be specific instructions or instructions of a general nature as set out in this Call-Off Agreementthe Contract or as otherwise notified by the Client to the Solicitor during the term of the Contract); Process the Service Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service the Client’s Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service the Client’s Personal Data and having regard to the nature of the Service Client’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier all members of the Solicitor’s Staff who have access to Service the Client’s Personal Data; obtain the Client’s prior written approval in order to transfer all or any of the Client’s Personal Data to any Sub-Contractors for the provision of the Contract Services; ensure that all Supplier members of the Solicitor’s Staff required to access Service the Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this ClauseClause 7.1; ensure that none of the Supplier Solicitor’s Staff publish, disclose or divulge Customerany of the Client’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the CustomerClient; notify the Customer Client within five (5) Working Days if it the Solicitor receives: a request from a Data Subject to have access to Service the Client’s Personal Data relating to that person; or a complaint or request relating to the Customer’s Client's obligations under the Data Protection Legislation; provide the Customer Client with full cooperation and assistance in relation to any complaint or request made relating to Service the Client’s Personal Data, including by: providing the Customer Client with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s Client's instructions; providing the Customer Client with any Service Client’s Personal Data it holds in relation to a Data Subject (within the timescales required by the CustomerClient); and providing the Customer Client with any information requested by the Data Subject. The Supplier shall: Client; permit or procure permission for the Customer Client or the CustomerClient’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit audit, the SupplierSolicitor's data Processing activities (and/or those of its agents, subsidiaries agents and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer Client to enable the Customer Client to verify and/or procure that the Supplier Solicitor is in full compliance with its obligations under this Call-Off Agreementthe Contract; and/or subject to Clause CO-3.6 agree to an appointment provide a written description of an independent auditor selected the technical and organisational methods employed by the Supplier to undertake Solicitor for Processing the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Client’s Personal Data to any other person (including for within the avoidance of doubt any Sub-Contractors) for timescales required by the provision of the G-Cloud ServicesClient); and not cause or permit to be Processed, stored, accessed Process or otherwise transferred transfer any Client’s Personal Data outside the EEA any Customer Personal Data supplied to it by the Customer European Economic Area without the prior written consent of the CustomerClient which may be given on such terms as the Client in its discretion thinks fit. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: The Solicitor shall comply at all times with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Legislation and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement the Contract in such a way as to cause the Customer Client to breach any of its applicable obligations under the Data Protection Legislation. The Supplier Solicitor acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that the Customer Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.

Protection of Information. The provisions of this Clause CO-3., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.86 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off this Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.8 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions Data Protection Act8 For the purposes of this Clause CO-35.1, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "Process" and "Processing" shall have the meanings prescribed under the DPA. The Supplier Service Provider shall (and shall procure that Supplier’s Staff all of its Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all of their obligations under the DPA which arise in connection with the Call-Off AgreementContract. To Notwithstanding the extent that general obligation in Clause 5.1.2, where the Supplier Service Provider is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal as a Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide Processor for the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier Provider shall: Process Service the Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreementthe Contract; comply with all applicable laws; Process the Service Personal Data only to the extent, and in such manner, manner as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory BodyService Provider's obligations under the Framework Agreement; implement appropriate technical and organisational measures to protect Service the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result arise from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to Service the Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff its employees and agents who may have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; use all reasonable endeavours to ensure that none such persons have sufficient skills and training in the handling of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit the Personal Data to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer European Economic Area without the prior written consent of the Customer. Where ; not disclose the Personal Data to any third parties in any circumstances other than with the written consent of the Customer consents to such Processing, storing, accessing or transfer outside in compliance with a legal obligation imposed upon the European Economic Area the Supplier shall: comply Customer; and co-operate with the obligations of a Data Controller under Customer to enable the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection Customer to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by request under Section 7 of the DPA. notify the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that within [five] Working Days if it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).receives:

Protection of Information. The provisions of this Clause CO-3CO-7, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).confidentiality

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to shall duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.86 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or

Protection of Information. The provisions of this Clause CO-3Error! Reference source not found., shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3FW-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data Data) and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO-3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period and for such time as the Supplier holds the Customer Personal Data. The Supplier shall and shall procure that Supplier’s Staff comply with any notification requirements under the DPA and both Parties undertake to duly observe all their obligations under the DPA which arise in connection with the Call-Off Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processedprocessed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected appointed by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is supplier but acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings)) can be used to undertake the activities in Clause CO-3.5.1 where the restrictions in Clause CO 3.6 allow. The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processingprocessing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer Authority or Contracting Body concerned and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).

Protection of Information. The provisions of this Clause CO-3FW-1.5, shall apply during the Call-Off Agreement Period Term and for such time as the Supplier holds the Customer Personal Data. The Supplier shall (and shall procure that Supplier’s Staff Staff) comply with any notification requirements under the DPA and both Parties undertake to will duly observe all their obligations under the DPA which arise in connection with the Call-Off Framework Agreement. To the extent that the Supplier is Processing the Order Personal Data the Supplier shall: ensure that it has in place appropriate technical and organisational measures to ensure the security of the Order Personal Data (and to guard against unauthorised or unlawful Processing of the Order Personal Data and against accidental loss or destruction of, or damage to, the Order Personal Data; and provide the Customer with such information as the Customer may reasonably request to satisfy itself that the Supplier is complying with its obligations under the DPA; promptly notify the Customer of any breach of the security measures to be put in place pursuant to this Clause; and ensure that it does not knowingly or negligently do or omit to do anything which places the Customer in breach of its obligations under the DPA. To the extent that the Supplier Processes Service Personal Data the Supplier shall: Process Service Personal Data only in accordance with written instructions from the Customer as set out in this Call-Off Agreement; Process the Service Personal Data only to the extent, and in such manner, as is necessary for the provision of the G-Cloud Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect Service Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to Service Personal Data and having regard to the nature of the Service Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Supplier Staff who have access to Service Personal Data; ensure that all Supplier Staff required to access Service Personal Data are informed of the confidential nature of the Service Personal Data and comply with the obligations set out in this Clause; ensure that none of the Supplier Staff publish, disclose or divulge Customer’s Personal Data to any third party unless necessary for the provision of the G-Cloud Services under the Call-Off Agreement and/or directed in writing to do so by the Customer; notify the Customer within five (5) Working Days if it receives: a request from a Data Subject to have access to Service Personal Data relating to that person; or a complaint or request relating to the Customer’s obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made relating to Service Personal Data, including by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Customer’s instructions; providing the Customer with any Service Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Data Subject. The Supplier shall: permit the Customer or the Customer’s Representative (subject to the reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) or provide to the Customer an independent third party inspection and audit certificate in lieu of the same (unless otherwise agreed between the Parties, the option of providing a certificate in lieu shall not be available at IL3 and above) and shall comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Call-Off Agreement; and/or subject to Clause CO-3.6 agree to an appointment of an independent auditor selected by the Supplier to undertake the activities in Clause CO-3.5.1 provided such selection is acceptable to the Customer or Customer Representative (subject to such independent auditor complying with the reasonable and appropriate confidentiality undertakings). The Supplier Shall: obtain prior written consent from the Customer in order to transfer Customer Personal Data to any other person (including for the avoidance of doubt any Sub-Contractors) for the provision of the G-Cloud Services; not cause or permit to be Processed, stored, accessed or otherwise transferred outside the EEA any Customer Personal Data supplied to it by the Customer without the prior written consent of the Customer. Where the Customer consents to such Processing, storing, accessing or transfer outside the European Economic Area the Supplier shall: comply with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is so processed, stored, accessed or transferred; comply with any reasonable instructions notified to it by the Customer and either: incorporate standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) or warrant that that the obligations set out in the Supplier Terms provide Adequate protection for Personal Data. The Supplier shall not perform its obligations under this Call-Off Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach).and/or