Common use of Confidentiality and Data Protection Clause in Contracts

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) required by any applicable law; (b) that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) which is already lawfully in the Supplier’s possession prior to its disclosure by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPA. 10.5 The Supplier shall: a) promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) required by any applicable law; (b) that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) which is already lawfully in the Supplier’s possession prior to its disclosure by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 Xxx 0000 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPA. 10.5 The Supplier shall: a) promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) : required by any applicable law; (b) ; that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) ; where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) or which is already lawfully in the Supplier’s possession prior to its disclosure by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 Xxx 0000 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPA. 10.5 The Supplier shall: a) : promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) ; not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) and provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.

Confidentiality and Data Protection. 10.1 9.1 Subject to Clause 10.2, unless agreed otherwise in writing11.1, the Supplier shall, Receiving Party undertakes to the Disclosing Party that: 9.1.1 it shall treat and shall procure that Staff shall, keep safeguard as private and confidential all matters relating Confidential Information; 9.1.2 it shall only use the Confidential Information to the Contractextent that such use is necessary for the purposes of performing its obligations or exercising its rights under this Agreement; 9.1.3 it shall not at any time disclose or reveal any part of the Confidential Information to any person other than a Permitted Recipient; 9.1.4 it shall ensure that each Permitted Recipient to whom Confidential Information is to be disclosed is made aware of and observes the terms of this Clause 9.1 as if that person had given the undertakings contained in this Clause 9.1 directly; 9.1.5 it shall immediately upon written request by the Disclosing Party deliver to the Disclosing Party a list of all individuals to whom the Confidential Information has been disclosed. 10.2 9.2 The provisions of Clause 10.1 9.1 above shall not apply to any disclosure of informationConfidential Information to the extent that such Confidential Information: (a) required by any applicable law9.2.1 is publicly available or becomes publicly available through no act or omission of the Receiving Party; 9.2.2 was in the possession of the Receiving Party, without restriction as to its disclosure, before receiving it from the Disclosing Party 9.2.3 is received from a third party (bwho lawfully acquired it) that is reasonably required by persons engaged without restriction as to its disclosure; 9.2.4 was created independently by the Supplier in performing Receiving Party, without access to the Supplier’s obligations under Confidential Information, as demonstrated by documentary evidence to the Contractreasonable satisfaction of the Disclosing Party; 9.2.5 is required to be disclosed by law or by order of a court of competent jurisdiction or other competent authority provided that (cto the extent it is permitted to do so) where the Supplier can demonstrate Receiving Party gives all reasonable notice of that such information disclosure to the Disclosing Party. 9.3 The Parties agree to fully comply with all relevant Data Protection Legislation but also acknowledge and agree that no processing of personal data (as defined in relevant Data Protection Legislation) is already generally available to take place in furtherance of this Contract unless and until the parties have complied with the provisions of the clause 9.4 below. 9.4 Notwithstanding the above, in the public domain event either Party becomes aware of any need for or believes that data processing (as defined in relevant data protection legislation) is to occur by either Party that Party shall notify the other than with immediate effect and the Parties shall ensure that no processing of personal data takes place until sufficient data processing clauses (as a result of a breach of Clause 10.1; or (d) which is already lawfully in the Supplier’s possession prior to its disclosure determined by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures (whether by variation to ensure this Agreement or by way of separate data processing agreement) between the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPAParties. 10.5 The Supplier shall: a) promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, 8.1 Each party will keep confidential any information which the other supplies to it in connection with this Agreement. Confidential information will include the Services, Documentation and Content; all matters relating information marked as being confidential; and any other information which might reasonably be assumed to the Contract. 10.2 Clause 10.1 shall be confidential (“Confidential Information”). The obligations as to confidentiality in this Agreement will not apply to any disclosure of informationinformation which: (a) required by is available to the public other than because of any applicable lawbreach of this Agreement; (b) that is, when it is reasonably required by persons engaged by the Supplier supplied, already known to whomever it is disclosed to in performing the Supplier’s obligations under the Contractcircumstances in which they are not prevented from disclosing it to others; (c) where the Supplier can demonstrate that such information is already generally available and independently obtained by whomever it is disclosed to in the public domain other than as a result of a breach of Clause 10.1circumstances in which they are not prevented from disclosing it to others; (d) is trivial or obvious; or (e) is required to be disclosed by law or by any court or tribunal with proper authority to order its disclosure (but only to the extent of such requirements). 8.2 In relation to all "Personal Data" (as defined in the Data Protection Act 2018, which also defines "Processing", “Processor” and "Controller") provided or disclosed by the Client under this Agreement: (a) the Client will identify it clearly as such, when this is not obvious, and disclose it to LOVIS only when reasonably necessary; (b) the Client acknowledges that it is the data Controller of such data, and that LOVIS is only acting on the Client's behalf as the data Processor; (c) the Client acknowledges that it has obtained any necessary consents from its Personnel where Personal Data of the Personnel is passed on to LOVIS under this Agreement. (d) which is already lawfully LOVIS: (i) will comply with the Client's reasonable instructions relating to the security and confidentiality of the Personal Data, and will in any event keep it reasonably confidential and secure from disclosure to unauthorised third parties; and (ii) will Process that Personal Data only in accordance with the Supplier’s possession prior to its disclosure by instructions of the AuthorityClient received via the Support Website. 10.3 The Supplier shall, 8.3 Each party: (a) will obtain and shall procure that Staff shall, comply with any notification requirements maintain all appropriate registrations and consents under the Data Protection Act 1998 (“DPA”) 2018 and shall observe Personal Data Protection laws from the Territory, in order to allow that party to perform its obligations under the DPA which arise this Agreement; (b) will Process Personal Data in connection accordance with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle Act 2018 or laws from the Territory wherever the law is more restrictive; and (c) will use reasonable efforts to make sure that no act or omission by it or its Personnel results in Schedule 1 of the DPA. 10.5 The Supplier shall: a) promptly notify the Authority of any a breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach obligations of its obligations either party under the DPA; and c) provide Data Protection Act 2018 and laws from the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPATerritory.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) required by any applicable law; (b) that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) which is already lawfully in the Supplier’s possession prior to its disclosure by the AuthorityCustomer. 10.3 The Supplier shallCustomer may disclose the Confidential Information of the Supplier: (a) on a confidential basis to any central Government body for any proper purpose of the Customer or of the relevant central Government body; (b) to Parliament and Parliamentary Committees or if required by any Parliamentary reporting requirement; (c) to the extent that the Customer (acting reasonably) deems disclosure necessary or appropriate in the course of carrying out its public functions; (d) on a confidential basis to a professional adviser, and shall procure that Staff shallconsultant, comply supplier or other person engaged by the Customer for any purpose relating to or connected with this Agreement; (e) on a confidential basis for the purpose of the exercise of its rights under this Agreement; or (f) on a confidential basis to a proposed successor body in connection with any notification requirements assignment, novation or disposal of any of its rights, obligations or liabilities under this Agreement 10.4 The Parties acknowledge that for the purposes of the Data Protection Act 1998 Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule [X] . The only processing that the Processor is authorised to do is listed in Schedule [X] by the Controller and may not be determined by the Processor. 10.5 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. 10.6 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: (“DPA”a) a systematic description of the envisaged processing operations and shall observe the purpose of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 10.7 The Processor shall, in relation to any Personal Data processed in connection with its obligations under the DPA which arise in connection with the Contract.this Agreement: 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing (a) process that Personal Data as a only in accordance with Schedule [ X ], unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data Processor unless prohibited by Law; (as those terms are defined in the DPAb) for the Authority, the Supplier shall ensure that it has in place Protective Measures, which are appropriate technical to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (c) ensure that : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and contractual measures in particular Schedule X); (ii) it takes all reasonable steps to ensure the security reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EUA unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to prevent unauthorised the transfer (whether in accordance with GDPR Article 46 or unlawful LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data), as required under ; (e) at the Seventh Data Protection Principle in Schedule 1 written direction of the DPAController, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 10.5 The Supplier shall10.8 Subject to clause 10.7, the Processor shall notify the Controller immediately if it: (a) promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4receives a Data Subject Request (or purported Data Subject Request); (b) not knowingly receives a request to rectify, block or negligently do erase any Personal Data; (c) receives any other request, complaint or omit communication relating to do anything which places the Authority in breach of its either Party's obligations under the DPAData Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 10.9 The Processor’s obligation to notify under clause 10.8 shall include the provision of further information to the Controller in phases, as details become available. 10.10 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 10.8 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 10.11 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 10.13 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 10.14 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 10.15 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause [X] such that they apply to the Sub-processor; and c(d) provide the Authority Controller with such information regarding the Sub-processor as it the Controller may reasonably require require. 10.16 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 10.17 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to satisfy itself processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 10.18 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Supplier is complying Information Commissioner’s Office. 10.19 Where the Parties include two or more Joint Controllers as identified in Schedule [X ] in accordance with its obligations GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule [Y] in replacement of Clauses 1.1-1.14 for the Personal Data under the DPAJoint Control.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.210.2 and Clause 11, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) required by any applicable law; (b) that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) which is already lawfully in the Supplier’s possession prior to its disclosure by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPA. 10.5 The Supplier shall: a) promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, 8.1 Each party will keep confidential any information which the other supplies to it in connection with this Agreement. Confidential information will include the Services, Documentation and Content; all matters relating information marked as being confidential; and any other information which might reasonably be assumed to the Contract. 10.2 Clause 10.1 shall be confidential (“Confidential Information”). The obligations as to confidentiality in this Agreement will not apply to any disclosure of informationinformation which: (a) required by is available to the public other than because of any applicable lawbreach of this Agreement; (b) that is, when it is reasonably required by persons engaged by the Supplier supplied, already known to whomever it is disclosed to in performing the Supplier’s obligations under the Contractcircumstances in which they are not prevented from disclosing it to others; (c) where the Supplier can demonstrate that such information is already generally available and independently obtained by whomever it is disclosed to in the public domain other than as a result of a breach of Clause 10.1circumstances in which they are not prevented from disclosing it to others; (d) is trivial or obvious; or (e) is required to be disclosed by law or by any court or tribunal with proper authority to order its disclosure (but only to the extent of such requirements). 8.2 In relation to all "Personal Data" (as defined in the Data Protection Xxx 0000, which also defines "Processing", “Processor” and "Controller") provided or disclosed by the Client under this Agreement: (a) the Client will identify it clearly as such, when this is not obvious, and disclose it to LOVIS only when reasonably necessary; (b) the Client acknowledges that it is the data Controller of such data, and that LOVIS is only acting on the Client's behalf as the data Processor; (c) the Client acknowledges that it has obtained any necessary consents from its Personnel where Personal Data of the Personnel is passed on to LOVIS under this Agreement. (d) which is already lawfully LOVIS: (i) will comply with the Client's reasonable instructions relating to the security and confidentiality of the Personal Data, and will in any event keep it reasonably confidential and secure from disclosure to unauthorised third parties; and (ii) will Process that Personal Data only in accordance with the Supplier’s possession prior to its disclosure by instructions of the AuthorityClient received via the Support Website. 10.3 The Supplier shall, 8.3 Each party: (a) will obtain and shall procure that Staff shall, comply with any notification requirements maintain all appropriate registrations and consents under the Data Protection Act 1998 (“DPA”) and shall observe Xxx 0000 in order to allow that party to perform its obligations under the DPA which arise this Agreement; (b) will Process Personal Data in connection accordance with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle Xxx 0000; and (c) will use reasonable efforts to make sure that no act or omission by it or its Personnel results in Schedule 1 of the DPA. 10.5 The Supplier shall: a) promptly notify the Authority of any a breach of the security measures required to be put in place pursuant to Clause 10.4; b) not knowingly or negligently do or omit to do anything which places the Authority in breach obligations of its obligations either party under the DPA; and c) provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPAData Protection Xxx 0000.

Confidentiality and Data Protection. 10.1 Subject to Clause 10.2, unless agreed otherwise in writing, the Supplier shall, and shall procure that Staff shall, keep confidential all matters relating to the Contract. 10.2 Clause 10.1 shall not apply to any disclosure of information: (a) : required by any applicable law; (b) ; that is reasonably required by persons engaged by the Supplier in performing the Supplier’s obligations under the Contract; (c) ; where the Supplier can demonstrate that such information is already generally available and in the public domain other than as a result of a breach of Clause 10.1; or (d) or which is already lawfully in the Supplier’s possession prior to its disclosure by the Authority. 10.3 The Supplier shall, and shall procure that Staff shall, comply with any notification requirements under the Data Protection Act 1998 (“DPA”) and shall observe its obligations under the DPA which arise in connection with the Contract. 10.4 Notwithstanding the general obligations in Clause 10.3, where the Supplier is processing Personal Data as a Data Processor (as those terms are defined in the DPA) for the Authority, the Supplier shall ensure that it has in place appropriate technical and contractual measures to ensure the security of the Personal Data (and to prevent unauthorised or unlawful processing of the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 of the DPA. 10.5 The Supplier shall: a) : promptly notify the Authority of any breach of the security measures required to be put in place pursuant to Clause 10.4; b) ; not knowingly or negligently do or omit to do anything which places the Authority in breach of its obligations under the DPA; and c) and provide the Authority with such information as it may reasonably require to satisfy itself that the Supplier is complying with its obligations under the DPA.