DATA CONTROLLER’S OBLIGATIONS. 4.1. The Data Controller acknowledges and agrees that in order for the Data Processor to provide the Service, the Data Controller shall provide the Data Processor with the Client Personal Data. The Data Controller undertakes to verify that the security measures listed in Annex 2 of this Contract are compatible with the types of Personal Data that the Data Controller intends to entrust to the Data Processor.
4.2. The Data Controller represents and warrants that:
a) it has an appropriate legal basis (e.g., Data Subject’s consent, legitimate interests, authorisation from the relevant Supervisory Authority, etc.) to Process and disclose the Client Personal Data to the Data Processor as part of the provision of the Service; and,
b) the provisions laid down in the present DPA reflect the obligations that the Applicable Laws require Register to comply with, concerning the Processing of Client Personal Data for the provision of the Service.
DATA CONTROLLER’S OBLIGATIONS. As Data Controller, Customer warrants that: (i) the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller(s) and performing Data Processor’s obligations under this Agreement; and (ii) it has complied and continues to comply with the Applicable Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the Personal Data by the Data Processor as set out in this Agreement and as envisaged by any services agreement in place between the Parties. Customer also warrants that it maintains accurate and up to date records of legal basis for processing including relevant consent flows. If Customer is relying on “legitimate interest” under Article 6(1)(f) of the GDPR, it warrants that it has balanced its interests against the fundamental rights of the data subject, and keeps records of this process. Customer agrees that it will jointly and severally together with any other Data Controller, indemnify and hold harmless Spin Technology on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Clause.
DATA CONTROLLER’S OBLIGATIONS. 4.1 In utilising the Software, the Data Controller undertakes to comply with the obligations imposed under the Data Protection Legislation and other mandatory legislation as well as good data processing practice in the Processing of Personal Data.
4.2 The Data Controller shall be obligated to provide the Data Processor with comprehensive and lawful instructions concerning the Processing in documented form. Any instructions in deviation from the Supply Agreement must always be separately agreed upon between the Parties in writing, and the Data Processor may separately invoice the Data Controller for the carrying out of same.
4.3 The Data Controller shall be responsible for ensuring that all data subjects whose Personal Data is being Processed with the aid of the Software, have been provided with the information required under the Data Protection Legislation and that the Processing of Personal Data, including any transfer of Personal Data to the Data Processor, as required by the use of the Software, is lawful for the entire duration of the validity of the Supply Agreement and this DPA.
4.4 Prior to the conclusion of the Supply Agreement and this DPA, the Data Controller shall be obligated to ensure that the Processing of Personal Data under this DPA meets the requirements imposed upon the Data Controller in relation to the Processing of Personal Data, including the data security requirements.
DATA CONTROLLER’S OBLIGATIONS. 4.1 The Data Controller is responsible for the collection and update of the Personal Data, for the lawfulness and the quality of the Personal Data and of the means by which they were collected. Should the legal basis for the collection of the Personal Data cease to exist, the Data Controller will inform the Data Processor without undue delay.
4.2 The Data Controller will handle and answer any Third Party(ies) request regarding the Personal Data communicated by the Data Controller, subject to prompt and written notification thereof by the Data Processor.
4.3 The Data Controller undertakes to enforce the relevant provisions of the Data Privacy Regulation with respect to audits and to data breaches, involving the Personal Data processed under the Contract as per Section 12 below.
4.4 The Data Controller shall ensure, in its area of responsibility, that the level of protection resulting from the Data Privacy Regulations is met.
DATA CONTROLLER’S OBLIGATIONS. 4.1 Data Controller warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the Customer Personal Data by the Data Processor as set out in this Agreement and as envisaged by the Master Services Agreement.
4.2 Data Controller agrees that it will indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Clause 4 or any Applicable Data Protection Laws.
DATA CONTROLLER’S OBLIGATIONS. 6.1. The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services. To the extent required by Data Privacy Laws, Data Controller is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by the Data Subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor.
6.2. The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.
6.3. The Data Controller shall request the Data Processor to purge Personal Data when required by the Data Controller or any Data Subject whom it collects Personal Data unless the Data Processor is otherwise required to retain the Personal Data by applicable law.
6.4. The Data Controller shall immediately advise the Data Processor in writing if it receives or learns of any:
6.4.1. Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;
6.4.2. Request from one or more individuals seeking to access, correct, or delete Personal Data;
6.4.3. Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and
6.4.4. Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data
DATA CONTROLLER’S OBLIGATIONS. 8.1 As part of the Data Controller receiving the Services under the Purchase Agreement, the Data Controller agrees to abide by its obligations under GDPR and declares and warrants as follows.
(a) That the Data Controller is solely responsible for the means by which Personal Data is acquired and used by the Data Controller, including instructing Processing by the Data Controller in accordance with the provisions of the Purchase Agreement and this Processing Agreement, is and shall continue to be in accordance with all the relevant provisions of GDPR, particularly with respect to the security, protection and disclosure of Personal Data,
(b) that if collection by Data Processor involves any ‘special’ or ‘sensitive’ categories of Personal Data (as defined in GDPR), the Data Controller is acquiring and transferring such Personal Data in accordance with GDPR,
(c) that that Data Controller will inform its Data Subjects (if applicable); including the Data Processor, and
(d) that, upon instructions from the Data Processor, it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by the Data Processor, and to give appropriate instructions to the Data Processor in a timely manner, and
(e) that, upon instructions from the Data Processor, it shall respond in a reasonable time to enquiries from a Supervisory Authority regarding the Processing of relevant Personal Data by Data Processor.
DATA CONTROLLER’S OBLIGATIONS. 3.1 To the extent that the Data Processor processes Personal Data in the course of providing the Services, each party acknowledges that, for the purposes of the Data Protection Legislation the Data Controller is the controller of any Personal Data.
3.2 The Data Controller represents and warrants that it shall comply with its obligations under this DPA and the Data Protection Legislation.
3.3 The Data Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Data Processor, its Affiliates and Sub- Processors, to execute their rights or perform their obligations under this DPA.
3.4 All Affiliates of the Data Controller who use the Services shall comply with the obligations of the Data Controller set out in this DPA.
3.5 The Data Controller shall implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Data Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
3.5.1 The pseudonymisation and encryption of Personal Data;
3.5.2 The ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
3.5.3 The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
3.5.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
3.6 The Data Controller acknowledges and agrees that some instructions from the Data Controller, including the Data Processor assisting with audits, inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. The Data Processor shall be entitled to charge the Data Controller for its costs and expenses in providing any such assistance...
DATA CONTROLLER’S OBLIGATIONS. 7.1. Each Data Controller warrants that: (i) the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller(s) and performing Data Processor’s obligations under this Agreement; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the Personal Data by the Data Processor as set out in this Agreement and as envisaged by any services agreement in place between the parties.
7.2. Each Data Controller agrees that it will jointly and severally together with any other Data Controller, indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Clause 7.
DATA CONTROLLER’S OBLIGATIONS. The Data Controller finds that the personal data that has transferred and will transfer to the Processor are relevant and not exceeding the purpose for which they have been collected and then processed, and that they are gathered and transferred in accordance with all requirements of the applicable law. It is the Data Controller’s responsibility to find the legal basis for the personal data processing.
