Common use of Controller to Processor Clauses Clause in Contracts

Controller to Processor Clauses. In respect of the Personal Data processed by Xxxx as a Processor acting on behalf of Client under this Addendum, the Processor will: (a) process the Personal Data only on Client’s written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify Client of that requirement before processing); (b) process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under the Agreement; (c) ensure that persons engaged in the processing of Personal Data are bound by appropriate confidentiality obligations; (d) keep a record of the processing it carries out, and ensure the same is accurate; (e) comply promptly with any lawful request from Client requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow Client to fulfill its own obligations under the Data Protection Laws, including Client’s obligations arising in respect of a request from a data subject; (f) notify Client promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the Personal Data or to either party’s compliance with the Data Protection Laws as it relates to this Addendum, and provide Client with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication; (g) ensure in each case that, prior to the processing of any Personal Data by any Sub-Processor, the Processor and the Sub-Processor agree to contract on the terms set out in this Data Protection Addendum (“Relevant Terms”). The Processor shall procure the performance of the Relevant Terms by the Sub-Processor and shall be directly liable to Client for any breach by the Sub-Processor of any of the Relevant Terms; (h) only transfer the Personal Data outside of the European Economic Area if it has fulfilled each of the following conditions: (i) it has in place any of the specifically approved safeguards for data transfers (as recognized under the Data Protection Laws) in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any Personal Data that is transferred (including by way of a European Commission finding of adequacy); and (iv) it complies with reasonable instructions with respect to the transfer; (i) inform Client without undue delay within forty-eight (48) hours after having become aware of a breach if any Personal Data processed under this Addendum is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure (“Personal Data Breach”); (j) promptly provide Client with full cooperation and assistance in respect of the Personal Data Breach and all information in the Processor's possession concerning the Personal Data Breach, including the following: (i) the possible cause and consequences of the Personal Data Breach; (ii) the categories of Personal Data and the approximate number of data subjects involved; and (iii) the measures taken by the Processor to mitigate any damage; (k) inform Client promptly if it receives a request from a data subject exercising their data subject rights and provide Client with reasonable cooperation and assistance in relation to such request; (l) not disclose the Personal Data to any third party other than at the request of Client or as otherwise required under the Agreement; (m) provide reasonable assistance to the Client in complying with its obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments, and consultations with supervisory authorities or regulators; (n) provide Client with all information that is necessary to enable Client to monitor the Processor's compliance with the Data Protection Laws and its obligations under this Addendum at any time during regular business hours. Xxxx may satisfy Client’s right of audit under the Data Protection Laws in relation to Personal Data, by providing an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that Xxxx’x technical and organizational measures are sufficient and in accordance with an accepted industry audit standard. Xxxx reserves the right to refuse audit requests from an entity that is a competitor of Xxxx.; and (o) delete or return that Personal Data to Client at the end of the duration of the processing, and at that time delete or destroy existing copies. If return or destruction is impracticable or prohibited by law, rule or regulation, Xxxx shall take measures to block such Personal Data from any further processing (except to the extent necessary for processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. (p) Client acknowledges and agrees that Xxxx may (i) engage its Affiliates and Sub-Processors listed in Appendix 5 to this Addendum to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Addendum, Client provides general written authorization to Xxxx to engage Sub-Processors as necessary to perform the Services. (q) A list of Xxxx’x current Sub-Processors (the “List”) will be made available to Client, through a link provided by Xxxx, via email, or through other means made available to Client. Such a List may be updated by Xxxx from time to time. Xxxx provides a mechanism to subscribe to notifications of new Sub-Processors and Client agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Sub-Processors to access or participate in the processing of Personal Data, Xxxx will add such third parties to the List and notify Client. The Client may object to such an engagement by informing Xxxx within ten (10) days of receipt of the aforementioned notice by Xxxx, provided such objection is in writing and based on reasonable grounds relating to data protection. Client acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Xxxx from offering the Services to Client. (r) If Client reasonably objects to an engagement in accordance with Section 7, and Xxxx cannot provide a commercially reasonable alternative within a reasonable period of time, Client may discontinue the use of the affected Service by providing written notice to Xxxx. Discontinuation shall not relieve Client of any fees owed to Xxxx under the Agreement. (s) If Client does not object to the engagement of a third party in accordance with Section 7 within ten (10) days of notice by Xxxx, that third party will be deemed a Client approved Sub-Processor for the purposes of this Addendum. (t) Xxxx will enter into a written agreement with the Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Xxxx under this Addendum with respect to the protection of Personal Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Xxxx, Xxxx will remain liable to Client for the performance of the Sub-Processor’s obligations under such agreement.

Controller to Processor Clauses. 1. In respect of the Personal Data processed by Xxxx as a Processor acting on behalf of Client under this AddendumAgreement, the Processor will: (a) process the Personal Data only on Client’s written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify Client of that requirement before processing); (b) process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under the Agreement; (c) ensure that persons engaged in the processing of Personal Data are bound by appropriate confidentiality obligations; (d) keep a record of the processing it carries out, and ensure the same is accurate; (e) comply promptly with any lawful request from Client requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow Client to fulfill its own obligations under the Data Protection Laws, including Client’s obligations arising in respect of a request from a data subject; (f) notify Client promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the Personal Data or to either party’s compliance with the Data Protection Laws as it relates to this AddendumAgreement, and provide Client with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication; (g) ensure in each case that, prior to the processing of any Personal Data by any Sub-Processor, the Processor and the Sub-Processor agree to contract on the terms set out in this Data Protection Addendum (“Relevant Terms”). The Processor shall procure the performance of the Relevant Terms by the Sub-Processor and shall be directly liable to Client for any breach by the Sub-Processor of any of the Relevant Terms; (h) only transfer the Personal Data outside of the European Economic Area (including outside of the UK if it ceases to be a member of the European Economic Area) if it has fulfilled each of the following conditions: (i) it has in place any of the specifically approved safeguards for data transfers (as recognized recognised under the Data Protection Laws) in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any Personal Data that is transferred (including by way of a European Commission finding of adequacy); and (iv) it complies with reasonable instructions with respect to the transfer; (i) inform Client without undue delay within forty-eight (48) hours after having become aware of a breach if any Personal Data processed under this Addendum Agreement is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure (“Personal Data BreachSecurity Incident”); (j) promptly provide Client with full cooperation and assistance in respect of the Personal Data Breach Security Incident and all information in the Processor's possession concerning the Personal Data BreachSecurity Incident, including the following: (i) the possible cause and consequences of the Personal Data BreachSecurity Incident; (ii) the categories of Personal Data and the approximate number of data subjects involved; and (iii) the measures taken by the Processor to mitigate any damage; (k) inform Client promptly if it receives a request from a data subject exercising their data subject rights and provide Client with reasonable cooperation and assistance in relation to such request; (l) not disclose the Personal Data to any third party other than at the request of Client or as otherwise required under the Agreement; (m) provide reasonable assistance to the Client in complying with its obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments, assessments and consultations with supervisory authorities or regulators; (n) provide Client with all information that is necessary to enable Client to monitor the Processor's compliance with the Data Protection Laws and its obligations under this Addendum Agreement at any time during regular business hours. Xxxx may satisfy Client’s right of audit under the Data Protection Laws in relation to Personal Data, by providing an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that Xxxx’x technical and organizational measures are sufficient and in accordance with an accepted industry audit standard. Xxxx reserves the right to refuse audit requests from an entity that who is a competitor of Xxxx.; and (o) delete or return that Personal Data to Client at the end of the duration of the processing, and at that time delete or destroy existing copies. If return or destruction is impracticable or prohibited by law, rule or regulation, Xxxx shall take measures to block such Personal Data from any further processing (except to the extent necessary for processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. (p) Client acknowledges and agrees that Xxxx may (i) engage its Affiliates and Sub-Processors listed in Appendix 5 to this Addendum to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Addendum, Client provides general written authorization to Xxxx to engage Sub-Processors as necessary to perform the Services. (q) A list of Xxxx’x current Sub-Processors (the “List”) will be made available to Client, through a link provided by Xxxx, via email, or through other means made available to Client. Such a List may be updated by Xxxx from time to time. Xxxx provides a mechanism to subscribe to notifications of new Sub-Processors and Client agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Sub-Processors to access or participate in the processing of Personal Data, Xxxx will add such third parties to the List and notify Client. The Client may object to such an engagement by informing Xxxx within ten (10) days of receipt of the aforementioned notice by Xxxx, provided such objection is in writing and based on reasonable grounds relating to data protection. Client acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Xxxx from offering the Services to Client. (r) If Client reasonably objects to an engagement in accordance with Section 7, and Xxxx cannot provide a commercially reasonable alternative within a reasonable period of time, Client may discontinue the use of the affected Service by providing written notice to Xxxx. Discontinuation shall not relieve Client of any fees owed to Xxxx under the Agreement. (s) If Client does not object to the engagement of a third party in accordance with Section 7 within ten (10) days of notice by Xxxx, that third party will be deemed a Client approved Sub-Processor for the purposes of this Addendum. (t) Xxxx will enter into a written agreement with the Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Xxxx under this Addendum with respect to the protection of Personal Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Xxxx, Xxxx will remain liable to Client for the performance of the Sub-Processor’s obligations under such agreement.

Controller to Processor Clauses. In respect of the Personal Data processed by Xxxx as a Processor acting on behalf of Client under this AddendumAgreement, the Processor will: (a) process the Personal Data only on Client’s written instructions, unless required by law to process it differently (in which case it shall, if permitted by such law, promptly notify Client of that requirement before processing); (b) process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes of carrying out its obligations under the Agreement; (c) ensure that persons engaged in the processing of Personal Data are bound by appropriate confidentiality obligations; (d) keep a record of the processing it carries out, and ensure the same is accurate; (e) comply promptly with any lawful request from Client requesting access to, copies of, or the amendment, transfer or deletion of the Personal Data to the extent the same is necessary to allow Client to fulfill its own obligations under the Data Protection Laws, including Client’s obligations arising in respect of a request from a data subject; (f) notify Client promptly if it receives any complaint, notice or communication (whether from a data subject, competent supervisory authority or otherwise) relating to the processing, the Personal Data or to either party’s compliance with the Data Protection Laws as it relates to this AddendumAgreement, and provide Client with reasonable co-operation, information and other assistance in relation to any such complaint, notice or communication; (g) ensure in each case that, prior to the processing of any Personal Data by any Sub-Processor, the Processor and the Sub-Processor agree to contract on the terms set out in this Data Protection Addendum (“Relevant Terms”). The Processor shall procure the performance of the Relevant Terms by the Sub-Processor and shall be directly liable to Client for any breach by the Sub-Processor of any of the Relevant Terms; (h) only transfer the Personal Data outside of the European Economic Area (including outside of the UK if it ceases to be a member of the European Economic Area) if it has fulfilled each of the following conditions: (i) it has in place any of the specifically approved safeguards for data transfers (as recognized under the Data Protection Laws) in relation to the transfer; (ii) data subjects continue to have enforceable rights and effective legal remedies following the transfer; (iii) it provides an adequate level of protection to any Personal Data that is transferred (including by way of a European Commission finding of adequacy); and (iv) it complies with reasonable instructions with respect to the transfer; (i) inform Client without undue delay within forty-eight (48) hours after having become aware of a breach if any Personal Data processed under this Addendum Agreement is lost or destroyed or becomes damaged, corrupted, or unusable or is otherwise subject to unauthorized or unlawful processing including unauthorized or unlawful access or disclosure (“Personal Data BreachSecurity Incident”); (j) promptly provide Client with full cooperation and assistance in respect of the Personal Data Breach Security Incident and all information in the Processor's possession concerning the Personal Data BreachSecurity Incident, including the following: (i) the possible cause and consequences of the Personal Data BreachSecurity Incident; (ii) the categories of Personal Data and the approximate number of data subjects involved; and (iii) the measures taken by the Processor to mitigate any damage; (k) inform Client promptly if it receives a request from a data subject exercising their data subject rights and provide Client with reasonable cooperation and assistance in relation to such request; (l) not disclose the Personal Data to any third party other than at the request of Client or as otherwise required under the Agreement; (m) provide reasonable assistance to the Client in complying with its obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments, and consultations with supervisory authorities or regulators; (n) provide Client with all information that is necessary to enable Client to monitor the Processor's compliance with the Data Protection Laws and its obligations under this Addendum Agreement at any time during regular business hours. Xxxx may satisfy Client’s right of audit under the Data Protection Laws in relation to Personal Data, by providing an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that Xxxx’x technical and organizational measures are sufficient and in accordance with an accepted industry audit standard. Xxxx reserves the right to refuse audit requests from an entity that is a competitor of Xxxx.; and (o) delete or return that Personal Data to Client at the end of the duration of the processing, and at that time delete or destroy existing copies. If return or destruction is impracticable or prohibited by law, rule or regulation, Xxxx shall take measures to block such Personal Data from any further processing (except to the extent necessary for processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. (p) Client acknowledges and agrees that Xxxx may (i) engage its Affiliates and Sub-Processors listed in Appendix 5 to this Addendum to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Addendum, Client provides general written authorization to Xxxx to engage Sub-Processors as necessary to perform the Services. (q) A list of Xxxx’x current Sub-Processors (the “List”) will be made available to Client, through a link provided by Xxxx, via email, or through other means made available to Client. Such a List may be updated by Xxxx from time to time. Xxxx provides a mechanism to subscribe to notifications of new Sub-Processors and Client agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Sub-Processors to access or participate in the processing of Personal Data, Xxxx will add such third parties to the List and notify Client. The Client may object to such an engagement by informing Xxxx within ten (10) days of receipt of the aforementioned notice by Xxxx, provided such objection is in writing and based on reasonable grounds relating to data protection. Client acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Xxxx from offering the Services to Client. (r) If Client reasonably objects to an engagement in accordance with Section 7, and Xxxx cannot provide a commercially reasonable alternative within a reasonable period of time, Client may discontinue the use of the affected Service by providing written notice to Xxxx. Discontinuation shall not relieve Client of any fees owed to Xxxx under the Agreement. (s) If Client does not object to the engagement of a third party in accordance with Section 7 within ten (10) days of notice by Xxxx, that third party will be deemed a Client approved Sub-Processor for the purposes of this Addendum. (t) Xxxx will enter into a written agreement with the Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Xxxx under this Addendum with respect to the protection of Personal Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Xxxx, Xxxx will remain liable to Client for the performance of the Sub-Processor’s obligations under such agreement.