Common use of DATA CONTROLLER OBLIGATIONS Clause in Contracts

DATA CONTROLLER OBLIGATIONS. 3.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.‌ 3.2.2 Without limiting the generality of the obligation set out in Paragraph 3.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws. (d) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements; and where requested provide to the other Party evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request;‌ (e) notify the other Party promptly, and in any event within forty-eight

DATA CONTROLLER OBLIGATIONS. 3.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.‌Laws. 3.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 3.2.12.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws.; (d) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements; , and where requested provide to the other Party University with evidence of its the Provider’s compliance with such requirements promptly, and in any event within forty-forty eight (48) hours of the request;‌request; (e) notify the other Party promptly, and in any event within forty-forty eight

DATA CONTROLLER OBLIGATIONS. 3.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.‌Laws. 3.2.2 Without limiting the generality of the obligation set out in Paragraph 3.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws.; (d) ensure that appropriate technical and organisational security measures are in place sufficient to comply with with: (i) at least the obligations imposed on the Controller by the Security Requirements; and (ii) the obligations set out in Appendix 2 (Information Security); and where requested provide to the other Party University evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request;‌request; (e) notify the other Party promptly, and in any event within forty-eight