Common use of ABILITY AND CAPACITY Clause in Contracts

ABILITY AND CAPACITY. The Processer guarantees that it has the necessary technical and organizational capacity, including technical solutions, skills, financial and personnel resources, routines and methods to be able to fulfill the obligations set forth in this DPA and the Data Protection Regulations. Upon the Controller’s request, the Processor shall provide relevant documentation, refer to relevant and approved Code of Conduct or certification, allow for and contribute to audits and inspections and/or provide other adequate evidence, to prove that the Processor fulfills the obligations in this DPA and the Data Protection Regulations. The Processor shall, without undue delay, make relevant information and documents necessary to demonstrate compliance with the obligations in this DPA or Data Protection Regulations available to the Controller and allow for effective audits, conducted by the Controller or another auditor mandated by the Controller, including giving access to the Processor’s premises and equipment for inspection. The Processer shall implement appropriate technical and organizational measures to ensure a level of security adequate given the risk that the Processing of Personal Data entails. The Processor shall only grant access to the Personal Data on a need to know basis to be able to fulfill the Processor’s obligations under this DPA. The Processer shall ensure that persons under the Processor’s authority has undertaken required training and received sufficient instructions to handle the Personal Data in an efficient and secure manner. The Processor shall process the Personal Data, where applicable, in accordance with Public Access to Information and Secrecy Act (2009:400) and in a confidential manner and ensure that persons under the Processor’s authority have committed themselves to an equivalent confidentiality undertaking or are under an appropriate statutory obligation of confidentiality. The Processor shall, without undue relay, and no later than forty eight (48) hours after having become aware, notify the Controller about the existence of or the risk of a Personal Data Incident. Such notification shall include all the necessary and available information for the Controller to be able to take appropriate preventive measures and countermeasures and to fulfill the obligations to notify the competent supervisory authority and/or the data subjects of a Personal Data Incident. The commitment in paragraph 6.2, shall remain in force even after this DPA has been terminated, but no later than such time that is applicable according to certain legal requirements. The Processor shall, at the request of the Controller, assist the Controller in ensuring compliance with the Controller’s obligations in accordance with Data Protection Regulations, and thereby assist the Controller in executing a Data Protection Impact Assessment in regards to data protection, provide the Controller with information concerning the technical and organizational measures already implemented by the Processor to ensure appropriate level of protection, if the Controller consults the supervisory authority, assist the Controller with the requested information, and assist the Controller’s investigation regarding Personal Data Incidents. The Processor does not retain the right to claim compensation for the assistance stated in this paragraph, if not otherwise agreed upon between the Parties.

ABILITY AND CAPACITY. The Processer Processor guarantees that it has the necessary technical and organizational capacity, including technical solutions, skills, financial and personnel resources, routines and methods to be able to fulfill the obligations set forth in this DPA and the Data Protection Regulations. Upon the Controller’s request, the Processor shall provide relevant documentation, refer to relevant and approved Code of Conduct or certification, allow for and contribute to audits and inspections and/or provide any other adequate necessary evidence, to prove that the Processor fulfills the obligations in this DPA and the Data Protection Regulations. The Processor shall, without undue delay, make shall at the request of the Controller provide the Controller with any relevant information and and/or documents necessary to demonstrate compliance with the obligations in this DPA or Data Protection Regulations available to the Controller without undue delay, and allow for effective audits, conducted by the Controller or another auditor mandated by the Controller, including giving access to the Processor’s premises and equipment for inspection. The Processer shall implement appropriate technical and organizational measures to ensure a level of security adequate given the risk that the Processing of Personal Data entails. The Processor shall only grant access to the Personal Data on a need to know basis to be able to fulfill the Processor’s obligations under this DPA. The Processer shall ensure that persons under the Processor’s authority has undertaken required training and received sufficient instructions to handle the Personal Data in an efficient and secure manner. The Processor shall process the Personal Data, where applicable, in accordance with Public Access to Information and Secrecy Act (2009:400) and in a confidential manner and ensure that persons under the Processor’s authority have committed themselves to an equivalent confidentiality undertaking or are under an appropriate statutory obligation of confidentiality. The Processor shall, without undue relay, and no later than forty eight (48) hours after having become awareaware of a Personal Data Breach, notify the Controller about the existence of or the risk of a Personal Data IncidentBreach. Such notification shall include all the necessary and available information for the Controller to be able to take appropriate preventive measures and countermeasures and to fulfill the obligations to notify the competent supervisory authority and/or inform the data subjects of a Personal Data IncidentBreach. The commitment in paragraph 6.2, shall remain in force even after this DPA has been terminated, but no later than such time that is applicable according to certain legal requirements. The Processor shall, at the request of the Controller, assist the Controller in ensuring compliance with the Controller’s obligations in accordance with Data Protection Regulations, and thereby assist the Controller in executing a Data Protection Impact Assessment in regards to data protection, provide the Controller with information concerning the technical and organizational measures already implemented by the Processor to ensure appropriate level of protection, if the Controller consults the supervisory authority, assist the Controller with the requested information, and assist the Controller’s investigation regarding Personal Data IncidentsBreach. The Processor does not retain the right to claim compensation for the assistance stated in this paragraph, if not otherwise agreed upon between the Parties.

ABILITY AND CAPACITY. The Processer Processoer guarantees that it has the necessary technical and organizational capacity, including technical solutions, skills, financial and personnel resources, routines and methods to be able to fulfill the obligations set forth in this DPA and the Data Protection Regulations. Upon the Controller’s request, the Processor shall provide relevant documentation, refer to relevant and approved Code of Conduct or certification, allow for and contribute to audits and inspections and/or provide any other adequate necessary evidence, to prove that the Processor fulfills the obligations in this DPA and the Data Protection Regulations. The Processor shallshall at the request of the Controller, without undue delay, make provide the Controller with any relevant information and and/or documents necessary to demonstrate compliance with the obligations in this DPA or Data Protection Regulations without undue delay, available to the Controller and allow for effective audits, conducted by the Controller or another auditor mandated by the Controller, including giving access to the Processor’s premises and equipment for inspection. The Processer shall implement appropriate technical and organizational measures to ensure a level of security adequate given the risk that the Processing of Personal Data entails. The Processor shall only grant access to the Personal Data on a need to know basis to be able to fulfill the Processor’s obligations under this DPA. The Processer shall ensure that persons under the Processor’s authority has undertaken required training and received sufficient instructions to handle the Personal Data in an efficient and secure manner. The Processor shall process the Personal Data, where applicable, in accordance with Public Access to Information and Secrecy Act (2009:400) and in a confidential manner and ensure that persons under the Processor’s authority have committed themselves to an equivalent confidentiality undertaking or are under an appropriate statutory obligation of confidentiality. The Processor shall, without undue relay, and no later than forty eight (48) hours after having become awareaware of a Personal Data Breach, notify the Controller about the existence of or the risk of a Personal Data IncidentBreachIncident. Such notification shall include all the necessary and available information for the Controller to be able to take appropriate preventive measures and countermeasures and to fulfill the obligations to notify the competent supervisory authority and/or inform the data subjects of a Personal Data IncidentBreachIncident. The commitment in paragraph 6.2, shall remain in force even after this DPA has been terminated, but no later than such time that is applicable according to certain legal requirements. The Processor shall, at the request of the Controller, assist the Controller in ensuring compliance with the Controller’s obligations in accordance with Data Protection Regulations, and thereby assist the Controller in executing a Data Protection Impact Assessment in regards to data protection, provide the Controller with information concerning the technical and organizational measures already implemented by the Processor to ensure appropriate level of protection, if the Controller consults the supervisory authority, assist the Controller with the requested information, and assist the Controller’s investigation regarding Personal Data IncidentsIncidentsBreach. The Processor does not retain the right to claim compensation for the assistance stated in this paragraph, if not otherwise agreed upon between the Parties. If necessary, the Controller is required to carry out a review to assess the Processing of Personal Data in accordance with any present impact assessment regarding data protection. The need for such a review is particularly relevant when the level of risk regarding the Processing changes. The Processor shall assist the Controller to carry out the review and comply with the obligations set out in paragraph 7.1. If a Registered PersonData Subject, the supervisory authority or a third party requests information from the Processor, or if necessary the sub-processor, regarding the Processing of Personal Data, the Processor shall, without undue delay, inform the Controller of the matter. Furthermore, the Processor shall as soon as possible, and without undue delay, refer to the Controller. The Processor may only disclose the Personal Data or information regarding the Processing in accordance with instructions from the Controller or if the Processer is required to disclose the current information in accordance with applicable law, regulation, court order or other decision by the regulatory authority or security regulations. The Processor shall assist the Controller, as far as possible, with technical and organizational security measures, enabling the Controller to fulfil its obligations regarding the rights of the data subjects. The Processor shall inform the Controller, Tthirty (30) days before in advance of any planned change of to the Processing of Personal Data, including technical and organizational measures that can affect the protection of Personal Data and the Processor’s compliance with Data Protection LegislationRegulations, the Processor shall in writing inform the Controller of such change. The Controller shall give consent, which shall not be unreasonably withheld, before such change is enforced. The Controller shall not withhold consent unreasonably.