Common use of Confidentiality and Protection of Personal Data Clause in Contracts

Confidentiality and Protection of Personal Data. 19.1 Each Party shall keep strictly confidential all information concerning the business and affairs of the other obtained from the other either pursuant to this Agreement or prior to and in contemplation of this Agreement, shall use the same exclusively for the purposes of this Agreement, and shall disclose the same only to those of its directors, employees, professional advisers and sub-contractors to whom and to the extent that such disclosure is reasonably necessary for the purposes of this Agreement. 19.2 The obligations of clause 19.1 above shall survive the termination of this Agreement but shall not apply to any information which:- 19.2.1 the recipient can demonstrate was already in its possession and at its free disposal prior to receipt under the circumstances mentioned at clause 19.1 above; 19.2.2 is subsequently disclosed to the recipient without any obligation of confidence by a third party who has not derived it directly or indirectly from the disclosing Party; or 19.2.3 enters the public domain through no act or default of the recipient, its agents or employees. 19.3 The recipient shall procure that all its directors, employees, professional advisers and sub- contractors who have access to any information of the disclosing Party to which the obligations of clause 19.1 apply (“Information”) shall be made aware of and subject to those obligations. 19.4 Nothing contained in clause 19.1 shall prevent the recipient from disclosing Information whose disclosure is required by law provided that, in such circumstances, the recipient shall have: 19.4.1 informed the disclosing Party promptly upon becoming aware of the relevant legal requirement (to the extent that such action is in conformity with applicable law); and 19.4.2 first given written notice to the authority requiring the disclosure that the information is the confidential information of a third party. 19.5 Both parties will comply with all applicable requirements of the Data Protection Legislation in the performance of this Agreement and any Statement of Work. This clause 19 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 19.6 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Company is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 19.7 The Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Company for the duration and purposes of this agreement. 19.8 The Company shall immediately inform the Client if, in its opinion, an instruction pursuant to this Agreement or this a Statement of Work infringes Data Protection legislation, and may at the Company’s discretion decline to follow such an instruction; or if it nonetheless complies with such instruction, it shall be indemnified by the Client against all liability, costs, penalties or other consequences of carrying out that instruction, including such costs as shall reasonably be incurred by the Company in defending itself (whether in terms of legal representation or publicity) against the consequences of following that instruction . 19.9 The subject matter and duration of the processing under the Agreement, the nature and purpose of the processing, the type of personal data processed and the categories of data subjects will be set out in any Data Protection Impact Assessment carried out relating to any specific element of the Services to which they are relevant. 19.10 Without prejudice to the generality of clause 19.7, the Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under this agreement: 19.10.1 process that Personal Data only on the written instructions of the Client unless the Company is required by the laws of the United Kingdom, any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where the Company is relying on laws of the United Kingdom, a member of the European Union or European Union law as the basis for processing Personal Data, the Company shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Client; 19.10.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 19.10.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and have undergone adequate training in the use, care, protection and handling of Personal Data; 19.10.4 not to appoint a subcontractor to process Personal Data without: 19.10.4.1 A general written authorisation from the Client that the Company may approach such sub-contractors as outlined in any authorisations or instructions to the Company; and 19.10.4.2 Imposing contractual data protection obligations on such subcontractor which are no less onerous than this set out in this Agreement; and 19.10.5 not transfer any Personal Data outside of the United Kingdom or the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled: 19.10.5.1 the Client or the Company has provided appropriate safeguards in relation to the transfer; 19.10.5.2 the data subject has enforceable rights and effective legal remedies; 19.10.5.3 the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 19.10.5.4 the Company complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data; 19.10.6 assist the Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 19.10.7 notify the Client without undue delay on becoming aware of a Personal Data breach providing full details of such breach. The Company shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Client to 19.10.7.1 perform a thorough investigation into the personal data breach, and 19.10.7.2 formulate a correct response and 19.10.7.3 to take suitable further steps in respect of the personal data breach in order to meet any requirement under Data Protection Legislation; 19.10.8 at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and 19.10.9 maintain complete and accurate records and information to demonstrate its compliance with this clause 19.

Confidentiality and Protection of Personal Data. 19.1 Each Party shall keep strictly confidential all information concerning the business and affairs of the other obtained from the other either pursuant to this Agreement or prior to and in contemplation of this Agreement, shall use the same exclusively for the purposes of this Agreement, and shall disclose the same only to those of its directors, employees, professional advisers and sub-contractors to whom and to the extent that such disclosure is reasonably necessary for the purposes of this Agreement. 19.2 The obligations of clause 19.1 above shall survive the termination of this Agreement but shall not apply to any information which:- 19.2.1 the recipient can demonstrate was already in its possession and at its free disposal prior to receipt under the circumstances mentioned at clause 19.1 above; 19.2.2 is subsequently disclosed to the recipient without any obligation of confidence by a third party who has not derived it directly or indirectly from the disclosing Party; or 19.2.3 enters the public domain through no act or default of the recipient, its agents or employees. 19.3 The recipient shall procure that all its directors, employees, professional advisers and sub- contractors subcontractors who have access to any information of the disclosing Party to which the obligations of clause 19.1 apply (“Information”) shall be made aware of and subject to those obligations. 19.4 Nothing contained in clause 19.1 shall prevent the recipient from disclosing Information whose disclosure is required by law provided that, in such circumstances, the recipient shall have: 19.4.1 informed the disclosing Party promptly upon becoming aware of the relevant legal requirement (to the extent that such action is in conformity with applicable law); and 19.4.2 first given written notice to the authority requiring the disclosure that the information is the confidential information of a third party. 19.5 Both parties will comply with all applicable requirements of the Data Protection Legislation in the performance of this Agreement and any Statement of Work. This clause 19 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 19.6 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Company is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 19.7 The Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Company for the duration and purposes of this agreement. 19.8 The Company shall immediately inform the Client if, in its opinion, an instruction pursuant to this Agreement or this a Statement of Work infringes Data Protection legislation, and may at the Company’s discretion decline to follow such an instruction; or if it nonetheless complies with such instruction, it shall be indemnified by the Client against all liability, costs, penalties or other consequences of carrying out that instruction, including such costs as shall reasonably be incurred by the Company in defending itself (whether in terms of legal representation or publicity) against the consequences of following that instruction . 19.9 The subject matter and duration of the processing under the Agreement, the nature and purpose of the processing, the type of personal data processed and the categories of data subjects will be set out in any Data Protection Impact Assessment carried out relating to any specific element of the Services to which they are relevant. 19.10 Without prejudice to the generality of clause 19.7, the Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under this agreement: 19.10.1 process that Personal Data only on the written instructions of the Client unless the Company is required by the laws of the United Kingdom, any member of the European Union or by the laws of the European Union applicable to the Company to process Personal Data (Applicable Laws). Where the Company is relying on laws of the United Kingdom, a member of the European Union or European Union law as the basis for processing Personal Data, the Company shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Company from so notifying the Client; 19.10.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 19.10.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and have undergone adequate training in the use, care, protection and handling of Personal Data; 19.10.4 not to appoint a subcontractor to process Personal Data without: 19.10.4.1 A general written authorisation from the Client that the Company may approach such sub-contractors as outlined in any authorisations or instructions to the Company; and 19.10.4.2 Imposing contractual data protection obligations on such subcontractor which are no less onerous than this set out in this Agreement; and 19.10.5 not transfer any Personal Data outside of the United Kingdom or the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled: 19.10.5.1 the Client or the Company has provided appropriate safeguards in relation to the transfer; 19.10.5.2 the data subject has enforceable rights and effective legal remedies; 19.10.5.3 the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 19.10.5.4 the Company complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data; 19.10.6 assist the Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 19.10.7 notify the Client without undue delay on becoming aware of a Personal Data breach providing full details of such breach. The Company shall fully co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Client to 19.10.7.1 perform a thorough investigation into the personal data breach, and 19.10.7.2 formulate a correct response and 19.10.7.3 to take suitable further steps in respect of the personal data breach in order to meet any requirement under Data Protection Legislation; 19.10.8 at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and 19.10.9 maintain complete and accurate records and information to demonstrate its compliance with this clause 19.