Data Processing. The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular the Data Processor agrees that it shall: process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 5 contracts
Samples: Supplementary Agreement on the Protection of Personal Data, Supplementary Agreement on the Protection of Personal Data, Supplementary Agreement on the Protection of Personal Data
Data Processing. The In the provision of Services, Protiviti (the “Processor”) may be Processing Personal Data on behalf of the other party (the “Controller”). In these circumstances, Protiviti will:
(i) Process Personal Data only to the extent, and in such a manner as is necessary, for the performance or receipt of the Services under these Terms and Conditions and only on reasonable written instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or English law. In such case, the Processor agrees will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest,
(ii) ensure that persons authorised to process Process the Personal Data have committed themselves to which this Supplementary Agreement appliesconfidentiality or are under an appropriate statutory obligation of confidentiality,
(iii) take all measures required by Data Protection Law relating to data security,
(iv) not engage another party to Process Personal Data without the Controller’s prior written authorisation, and in particular if such authorisation is granted, take those measures required pursuant to the Data Processor agrees that it shall: process Protection Law,
(v) taking into account the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing nature of the Personal Data are higher than those prescribed in this Supplementary AgreementProcessing, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time assist Controller by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to safeguard respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Law,
(vi) assist Controller in ensuring its compliance with data security, Personal Data Breach, data protection impact assessments, and engaging in other consultations, pursuant to Data Protection Law (taking into account the nature of processing and the information available to the Data Processor),
(vii) not keep the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development it receives under these Terms and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for longer than required for the Provision execution of Services (Annex A to the Main Agreement)these Terms and Conditions, regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents unless European Union or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any English law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security requires storage of the Personal Data, and will promptly comply with any commercially reasonable request from Controller requiring Processor to amend, transfer, or delete the Personal Data, to the extent that the Controller does not have the ability to do so itself,
(viii) subject to the confidentiality restrictions herein, make available to Controller all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits, including inspections, conducted by Controller, and
(ix) immediately inform Controller if, in its opinion, an instruction from Controller infringes Data Protection Law that is applicable to Processor. For The subject matter and duration of the avoidance Processing, the nature and purpose of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary AgreementProcessing, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing type of Personal Data and categories of Data Subjects will be described in the Arrangement Letter, or other written agreement signed by the parties. Each party represents that it has obtained the proper consent from all Data Processor procures that the promotion or offer of services is not in any manner associated Subjects to the Data Controller or the Data Controller’s services; not process or disclosure and transfer the of Personal Data outside of the country under these Terms and Conditions. In addition, Client acknowledges that Protiviti may use this information as part of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit client account opening and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on requestgeneral administration process (e.g., in order to audit carry out anti-money laundering, conflict and financial checks, invoicing, or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental bodydebt recovery). For these purposes, the Data Processor shall: promptly notify information may be transferred to or accessible from Protiviti’s offices around the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingworld.
Appears in 4 contracts
Samples: Office 365 Adoption and Delivery Terms and Conditions, G Cloud Terms and Conditions, G Cloud Services Agreement
Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation.
12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.
12.3 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” and the Client is the “Data Controller”.
12.4 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.
12.5 The Data Processor agrees shall, with respect to process any personal data processed by it in relation to its performance of any of its obligations under this Agreement:
12.5.1 Process the Personal personal data only on the written instructions of the Data to which this Supplementary Agreement applies, and in particular Controller unless the Data Processor agrees is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law;
12.5.2 Ensure that it shall: process the Personal Data has in accordance with the terms place suitable technical and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time organisational measures (as approved by the Data Controller; and for no other purpose or in any other manner except with ) to protect the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data personal data from unauthorised or unlawful processing or processing, accidental loss, destruction damage or damage in compliance with best industry standards, having regard destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of technological development the art in technology and the cost of implementing those measures.;
12.5.3 Ensure that any measures, such measures shall ensure a level of security appropriate and all staff with access to the harm personal data (whether for processing purposes or otherwise) are contractually obliged to keep that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential personal data and not disclose such confidential;
12.5.4 Not transfer any personal data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with UK without the express prior written consent of the Data Controller pursuant to a request in writing from and only if the following conditions are satisfied:
12.5.4.1 The Data Controller and/or the Data Processor to has/have provided suitable safeguards for the transfer of personal data;
12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies;
12.5.4.3 The Data Processor complies with its obligations under the Data Controller. Under no circumstance shall Protection Legislation, providing an adequate level of protection to any and all personal data be shared so transferred; and
12.5.4.4 The Data Processor complies with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny all reasonable instructions given in advance by the Data Controller or its authorised representatives, on requestwith respect to the processing of the personal data.
12.5.5 Assist the Data Controller at the Data Controller’s cost, in order responding to audit or otherwise ascertain any and all requests from data subjects and in ensuring its compliance with the terms of this Agreement; advise Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);
12.5.6 Notify the Data Controller without undue delay of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting a personal data breach;
12.5.7 On the Data ProcessorController’s written instruction, Personal delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is sought required to retain any of the personal data by law; and
12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any governmental bodyparty designated by the Data Controller.
12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: promptly notify :
12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Controller of Processor by this fact Clause 13 and consult with which shall permit both the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges Processor and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure enforce those obligations; and
12.7.2 Ensure that the sub-contractor complies fully with its privileges obligations under that agreement and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s statusProtection Legislation.
12.8 Either Party may, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses theretoat any time, and keep the Data Controller informed on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of all developments and communications with the governmental bodyan applicable certification scheme. The obligations and restrictions in Section 2.1 and Section 2.2 of Such terms shall apply when replaced by attachment to this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 3 contracts
Samples: Standard Service Agreement, Standard Service Agreement, Standard Service Agreement
Data Processing. The Data 3.1 During the Term, the Processor agrees to will process the Personal Data to which this Supplementary Agreement applies, and in particular the Data Processor agrees that it shall: process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement Agreement, and where in particular the standards imposed by the data protection legislation regulating Processor will:
3.1.1 comply with its obligations as a Processor under the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, Protection Acts;
3.1.2 having regard to the state of technological development the art, costs of implementation (where applicable) and taking into account the nature, scope, context and purposes of the Processing and the risk to the rights and freedoms of Data Subjects posed by the Processing and the information available to the Processor, implement the Technical and Organisational Security Measures, which the Controller and the Processor agree to be appropriate for the purposes of this Agreement;
3.1.3 at the cost of implementing any measuresthe Controller, such measures shall ensure a level of security appropriate insofar as reasonably possible and practicable to do so, assist the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to Controller in complying with the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization rights of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) Subjects as may be required by any law or regulation affecting set out in the Data Processor; implement technical and organisational measures to procure Protection Acts;
3.1.4 without due delay, notify the confidentialityController of any actual Security Breach which does actually affect the Data, privacy, integrity, availability, accuracy and security after becoming aware of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure such Security Breach;
3.1.5 agrees that the Data Controller will have access to such backup is confidential in nature and the Processor, unless otherwise lawfully directed in writing by Controller, will:
(a) process the Data (on behalf of Controller) exclusively for the provision of the Personal Data Services and for the purposes which are set out at Schedule 3;
(b) insofar as it is reasonably required by possible and lawful to do so, process the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except solely in accordance with the written consent instructions of Controller as notified in writing in advance by the Controller, except as required/ permitted to do otherwise by European Union law or the laws of any member state to which the Processor is subject, and (where permitted) the Processor will inform the Controller of such;
(c) take reasonable steps to ensure that each of its employees, officers, representatives, advisers and/or subcontractors engaged in processing the Data ("Representatives") will be informed of the confidential nature of the Data Controller or and are under an obligation to comply with a court order. For the avoidance of doubt, keep the Data Processor is confidential; and
(d) not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process Process or transfer the Personal any Data outside of the country of its registered office except with European Economic Area (“EEA”) without the express prior written consent of the Data Controller Controller, other than as provided by Clause 4 of this Agreement.
3.2 To the extent that Processor cannot comply with the Controller’s instructions pursuant to clause 3.1.5(b) or a request in writing from change to those instructions (as the case may be) without incurring material additional costs, the Processor shall: (i) immediately inform the Controller, giving full details of the problem; and (ii) cease all processing of the affected Data (other than securely storing that Data) until revised instructions are received.
3.3 The Processor will, at the cost of the Controller and on reasonable notice during Normal Business Hours, give commercially reasonable assistance to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain ensuring compliance with the terms of this Agreement; advise Controller's obligations under the Data Controller Protection Acts having regard to the state of any significant change in the art, costs of implementation (where applicable) and taking into account the nature, scope context and purposes of the Processing and the risk to the rights and freedoms of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; Data Subjects posed by the Processing and If pursuant the information available to any law or regulation affecting the Processor.
3.4 The Controller hereby agrees that it will comply with its obligations as a Controller under the Data Processor, Personal Data is sought by any governmental bodyProtection Acts. In particular, the Data Processor shall: promptly notify the Data Controller of this fact and consult shall ensure that at all relevant times there is a legal basis for Processing in accordance with the Data Controller regarding Protection Acts to enable the Processor (and such members of the Processor's group of companies) to Process the Data Processor’s response and/or Sensitive Data as pursuant to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of Services under this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 3 contracts
Samples: Data Processing Agreement, Data Processing Agreement, Data Processing Agreement
Data Processing. 2.1 The Data Processor agrees to process the Personal Data to which this Supplementary Agreement agreement applies, and in particular the Data Processor agrees that it shall: :
a. process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreementagreement, then in accordance with such legislation; ;
b. process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; ;
c. implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standardsdamage, having regard to the state of technological development and the cost of implementing any measures, ; such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for ;
d. regard the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors sub-contractors to whom disclosure is necessary for the performance of the Services, except (Service and subject to Section 2.2 below) […] below or except as may be required by any law or regulation affecting the Data Processor; ;
e. implement technical and organisational measures to procure ensure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors sub-contractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; agreement;
f. implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ;
g. ensure that any disclosure to an employee, agent or subcontractor sub-contractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement agreement with an employee, agent or subcontractor sub-contractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreementagreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; agreement;
h. comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; parties [Agency to insert relevant time periods at its discretion];
i. should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Partyparty’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; ;
j. promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable unusable and at the request of the Data Controller, restore such Personal Data at its own expense; ;
x. in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, ,
l. assist the Data Controller with all data subject Data Subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; ;
m. not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures ensures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; ;
n. notify the Data Controller of the country(s) in which the Personal Data will be processed where such country(s) is not the country of the Data Processor’s registered office;
o. not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; ;
p. permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; agreement;
q. advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult and
r. report [in accordance with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly agreed reasonable timeframes] to the Data Controller or to grant on the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller steps it has taken to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller compliance with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of clause 3.1.of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingagreement.
Appears in 3 contracts
Samples: Beneficiary Notice and Consent Agreement, Beneficiary Notice and Consent Agreement, Beneficiary Notice and Consent Agreement
Data Processing. The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular the Data Processor agrees that it shall: process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A Е to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 2 contracts
Samples: Supplementary Agreement on the Protection of Personal Data, Supplementary Agreement on the Protection of Personal Data
Data Processing. 3.1 The parties acknowledge that for the purposes of the Data Processor agrees Protection Legislation, the University is the Controller and the Contractor is the Processor. Schedule 1 sets out the scope, nature and purpose of processing by the Contractor, the duration of the processing and the types of Personal Data and categories of Data Subject.
3.2 The Contractor shall notify the University immediately if it considers that any of the University’s instructions infringe the Data Protection Legislation.
3.3 The Contractor shall provide all reasonable assistance to the University in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the University, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
3.4 The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 1, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the University before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the University as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures. ensure that: the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 1); it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they: are aware of and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to which any third Party unless directed in writing to do so by the University or as otherwise permitted by this Supplementary Agreement appliesAgreement; and have undergone adequate training in the use, care, protection and in particular the Data Processor agrees that it shall: process the handling of Personal Data. not transfer Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing outside of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process EU unless the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement University has been obtained and the following conditions are fulfilled: the University or the Contractor has provided appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage safeguards in compliance with best industry standards, having regard relation to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; transfer (whether in accordance with GDPR Article 13 46 or LED Article 37) as determined by the University; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of UNHCR General Conditions of Contract for the Provision of Services (Annex A protection to the Main Agreement), regard any Personal Data as confidential data that is transferred (or, if it is not so bound, uses its best endeavours to assist the University in meeting its obligations); and not disclose such data without the prior written authorization of the Data Controller Contractor complies with any reasonable instructions notified to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data it in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required advance by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply University with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly respect to the processing of the Personal Data. at the written direction of the University, delete or return Personal Data (and any copies of it) to the University on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data.
3.5 Subject to clause 3.6, the Contractor shall notify the University immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party’s 's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third party for disclosure of Personal Data where compliance with applicable lawsuch request is required or purported to be required by Law; or becomes aware of a Data Loss Event.
3.6 The Contractor’s obligation to notify under clause 3.5 shall include the provision of further information to the University in phases, immediately notify as details become available.
3.7 Taking into account the Data Controller and nature of the processing, the Contractor shall provide the Data Controller University with full co-operation and assistance in relation to either Party's obligations under Data Protection Legislation and any complaintscomplaint, notices communication or communications; request made under clause 3.5 (and insofar as possible within the timescales reasonably required by the University) including by promptly inform providing: the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable University with full details and at the request copies of the Data Controllercomplaint, restore communication or request; such Personal Data at its own expense; in assistance as is reasonably requested by the event of University to enable the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or University to comply with a court orderData Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the University, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the University following any Data Loss Event; and assistance as requested by the University with respect to any request from the Information Commissioner’s Office, or any consultation by the University with the Information Commissioner's Office.
3.8 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. For This requirement does not apply where the avoidance Contractor employs fewer than 250 staff, unless: the University determines that the processing is not occasional; the University determines the processing includes special categories of doubtdata as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the University determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
3.9 The Contractor shall allow for audits of its Data Processing activity by the University or the University’s designated auditor.
3.10 The Contractor shall designate a Data Protection Officer if required by the Data Protection Legislation.
3.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Data Processor is not prohibited from contact, communication or engaging with Contractor must: notify the Data Subject University in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside writing of the country of its registered office except with intended Sub-processor and processing; obtain the express prior written consent of the Data Controller pursuant to University; enter into a request in writing from written Agreement with the Data Processor Sub-processor which give effect to the Data Controller. Under no circumstance terms set out in this clause 3 such that they apply to the Sub-processor; and provide the University with such information regarding the Sub-processor as the University may reasonably require.
3.12 The Contractor shall remain fully liable for all acts or omissions of any data be shared Sub-processor.
3.13 The University may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with beneficiaries’ country any applicable controller to processor standard clauses or similar terms forming part of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
3.14 The parties agree to take account of any guidance issued by the Data Controller or its authorised representativesInformation Commissioner’s Office. The University may on not less than 30 Working Days’ notice to the Contractor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
3.16 The Contractor shall indemnify the University against all liabilities, on requestcosts, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental lossexpenses, destruction or damage of Personal Data; damages and If pursuant losses (including but not limited to any law direct, indirect or regulation affecting consequential losses, loss of profit, loss of reputation and all interest, penalties, fines and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller University arising out of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts the breach of this clause 3 or any Data Protection Legislation by the Data Controller to ensure that Contractor, its privileges and immunities are upheld andemployees, to the extent permissible by lawagents, seek to contest consultants or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingcontractors.
Appears in 2 contracts
Samples: Third Party Processing Agreement, Third Party Processing Agreement
Data Processing. The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular Jelly Software will act as the Data Processor agrees as defined in the Data Protection Act 1998 for data supplied by you for the online system. Jelly Software is registered under the Data Protection Xxx 0000. Registration number is Z2588758. The registered data controller is Xxxx Xxxxxxx. The data on your database will be synchronised with a cloud database held at Microsoft’s Azure data centre in order to allow your remote users accessing your system via the internet immediate access to your data. Jelly Software will ensure that it shall: your data is safe and cannot be accessed by anyone other than you or your customers.
a) Jelly Software will process the Personal Data at all times in accordance with the terms Act and conditions set out in this Supplementary Agreement and where solely for the standards imposed purposes (connected with provision by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services Services) and in the manner specified from time to time by the Data Controller; Controller in writing and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; ;
b) In a manner consistent with the Act and with any guidance issued by the Information Commissioner, implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing Processing or accidental loss, destruction or damage in compliance with best industry standardsdamage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance ;
c) ensure that each of its employees, agents and subcontractors are made aware of and are trained in, its obligations under this agreement with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A regard to the Main Agreement)security, regard Personal handling and protection of the Data as confidential data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this agreement;
d) not disclose such data divulge the Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written authorization consent of the Data Controller except to any person other than to those of its employees, agents or and subcontractors to whom disclosure is necessary for who are engaged in the performance Processing of the Services, except (Data and are subject to Section 2.2 below) the binding obligations referred to in our responsibilities or except as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure regulation;
e) that the Data Controller Processor will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should ;
f) if the Data Processor receive receives any complaint, notice or communication which relates directly or indirectly to the processing Processing of the Personal Data or to either Partyparty’s compliance with applicable lawthe Act and the Data Protection Principals set out therein, the Data Processor shall immediately notify the Data Controller and it shall provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; .
g) At the Data Controller’s request, the Data Processor shall provide to the Data Controller a copy of the most commonly requested Data held by it in Excel. In addition the Data Processor will extract all files, documents and images held by it and will provide them in a zipped folder.
h) The Data Processor shall promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at unusable. The Data Processor will restore such Data from the request backups of the Data Controller, restore such Personal Data at its own expense; PC Jelly database held by the data controller.
i) in the event of the exercise by Data Subjects of any of their rights under the Act in relation to their Personal the Data, inform the Data Controller as soon as possible, and the Data Processor further agrees to assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use ;
j) in the Personal Data of Data Subjects to contact, communicate or otherwise engage with event that the Data Subjects including transmission Processor receives a request for any information contained in the Data pursuant to Freedom of any marketing Information Xxx 0000, Environmental Information Regulations 2000, or other commercial communications the Act not to respond to the Data Subjects, except in accordance with the written consent of person making such request but to inform the Data Controller or to comply with a court order. For the avoidance of doubtwithin two (2) working days, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated further agrees to assist the Data Controller or with all such requests for information which may be received from any person within such timescales as may be prescribed by the Data Controller’s services; ;
k) not process Process or transfer the Personal Data outside of the country of its registered office United Kingdom and Ireland except with the express prior written consent authority of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that and
l) Allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Data Controller or its authorised representatives, on request, representatives in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingagreement.
Appears in 2 contracts
Samples: Software Agreement, Software Agreement
Data Processing. 2.1. The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular the Data Processor agrees that it shall: :
(a) process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; ;
(b) process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; ;
(c) implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; ;
(d) in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; ;
(e) implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; ;
(f) implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ;
(g) ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; ;
(h) comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; ;
(i) should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; ;
(j) promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; ;
(k) in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, ,
(l) assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; ;
(m) not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; ;
(n) not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; ;
(o) permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; ;
(p) advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and and
2.2. If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: :
(a) promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; ;
(b) inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); ;
(c) request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; ;
(d) cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; ;
(e) where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; ;
(f) provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body.
2.3. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 2 contracts
Samples: Supplementary Agreement on the Protection of Personal Data, Supplementary Agreement on the Protection of Personal Data
Data Processing. 11.1 In this clause 11, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation.
11.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This clause 11 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.
11.3 For the purposes of the Data Protection Legislation and for this clause 11, the Licensor is the “Data Processor” and You are the “Data Controller”.
11.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule 2.
11.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.
11.6 The Data Processor agrees shall, with respect to process any personal data processed by it in relation to its performance of any of its obligations under this Agreement:
a) Process the Personal Data to which this Supplementary Agreement applies, and in particular personal data only on the Data Processor agrees that it shall: process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization instructions of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, unless the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the otherwise required to process such personal data by law. The Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact such processing unless prohibited from doing so by law;
b) Ensure that it has in place suitable technical and consult organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken are set out in Schedule 2;
c) Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;
d) Transfer any personal data outside of the UK (and the Data Controller hereby consents to such transfer) only if the following conditions are satisfied:
11.6.d.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
11.6.d.2 Affected data subjects have enforceable rights and effective legal remedies;
11.6.d.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
11.6.d.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
e) Assist the Data Controller at the Data Controller’s cost, in responding to the requests from data subjects where relevant and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office) to the extent the personal data processed by the Data Processor for the purposes of this Agreement is concerned;
f) Notify the Data Controller regarding without undue delay of a personal data breach;
g) On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and
h) Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this clause 11 and to allow for audits by the Data Controller;
11.7 The Data Controller acknowledges and agrees, that the Data Processor may sub-contract any of its obligations with respect to the processing of personal data under this clause 11 to a sub-contractor. The initial list of Data Processor’s sub-contractors is attached in Schedule 2. The Data Processor shall enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this clause 11 and which shall permit both the Data Processor and the Data Controller to enforce those obligations. Any additions or replacements of subcontractors will be notified to the Data Controller on the Data Processor’s response webpage or via email. Customer may oppose the use of a new sub-processor, and shall notify the Data Processor thereof, in which case the Data Processor will use reasonable efforts to amend the demand Software product (if commercially possible) or request by such governmental body; inform such governmental body that such Personal Data service or offer an alternative, and if this is privileged due to the status of not possible within reasonable time, the Data Controller as may terminate the applicable Order’s with a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly notice to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges Processor, and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying will refund the Data Controller Processor the pre-paid fees for the unused part of a governmental body’s request for such Personal Data, notify the Software in proportion from the effective date of termination. Data Processor shall ensure that the sub-processor complies fully with its obligations under that agreement and the Data Controller promptly upon the lapseProtection Legislation; and
11.8 Licensor may, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses theretoat any time, and keep the Data Controller informed on at least a reasonable notice, alter this clause 11, replacing it with any applicable data processing clauses or similar terms that form part of all developments an applicable certification scheme. Such terms shall apply when replaced and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingpublished on Licensor’s webpage.
Appears in 1 contract
Samples: End User License Agreement
Data Processing. 3.1 The Data Processor agrees shall ensure that its internal operating systems only permit properly authorised personnel to process access Personal Data.
3.2 The Data Processor shall provide appropriate training to its personnel with respect to:
(i) the correct handling of Personal Data so as to which this Supplementary Agreement applies, and in particular minimise the risk of security breaches; and
(ii) the requirements of the applicable Data Protection Laws.
3.3 The Data Processor acknowledges and agrees that it shall: process the will:
(i) only Process Personal Data in accordance with the terms and conditions Data Controller’s written instructions including with regard to transfers of personal data to a Third Country or an international organisation (which may be specific instructions or instructions of a general nature as set out in this Supplementary Agreement and where the standards imposed terms or as otherwise notified by the data protection legislation regulating Data Controller to the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time and the Data Controller shall ensure it gives only lawful written instructions);
(ii) only use, reproduce or otherwise Process any Personal Data collected in connection with providing the Services to the extent necessary to provide the Services;
(iii) not modify, amend or alter the contents of the Personal Data, except as directed by the Data Controller; and ;
(iv) not, without the Data Controller’s written approval, Process any Personal Data on any Data Processor systems on which data (including any Personal Data) is Processed for no other purpose or in any other manner except with the express prior written consent person outside of the Data Controller; and
(v) implement and maintain a system for logging and identifying all Data Processor personnel accessing any Personal Data through Data Processor systems and if requested by the Data Controller, the Data Processor shall provide to the Data Controller a copy of the access log.
3.4 The Data Processor shall implement appropriate technical and organisational measures (in particular those required under the GDPR) to safeguard assure a level of security appropriate to the risk to the security of Personal Data, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Data in accordance with the Data Processor’s obligations under Data Protection Laws (the “Security Measures”). The Security Measures may also include as appropriate:
(i) the pseudonymisation and encryption of Personal Data;
(ii) the ability to ensure the ongoing confidentiality, integrity and availability of the Personal Data from unauthorised and resilience of the Data Processor systems used for such Processing;
(iii) the ability to restore the availability and access to the Personal Data, in a timely manner but no later than forty eight (48) hours, in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
3.5 The Data Controller may notify the Data Processor immediately in the event that it does not consider that the Security Measures ensure an appropriate level of security for Personal Data and the Data Controller shall notify the Data Processor of any additional or amended security controls or measures which the Data Controller considers in its reasonable opinion is necessary to ensure compliance with Data Protection Laws. The Data Processor agrees to implement such additional security controls or measures.
3.6 The Data Processor agrees and warrants that the Security Measures are appropriate to protect Personal Data against accidental or unlawful processing destruction or accidental loss, destruction alteration, unauthorised disclosure or damage access, in compliance with best industry standardsparticular where the processing involves the transmission of data over a network, having regard to the state and against all other unlawful forms of technological development Processing, and the cost of implementing any measures, such that these measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage risks presented by the Processing and to the nature of the Personal Data to be protected; protected having regard to the state of the art and the cost of their implementation.
3.7 Without limiting the Data Processor's other obligations under this Clause 3.7, the Data Processor:
(i) may disclose Personal Data to its personnel but only those who:
a) need to know for the purpose of providing the Services (and only to that extent);
b) have been trained in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 belowClause 3.2;
c) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is are subject to a binding legal obligation contract to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of keep the Personal Data confidential (or to either Party’s compliance with applicable laware under an appropriate statutory obligation of confidentiality), immediately notify the and
(ii) may only disclose Personal Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage other person with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller, and, where the Data Controller pursuant provides its consent, only where the person is subject to a request in writing from binding commitment to keep the Personal Data confidential (or are under an appropriate statutory obligation of confidentiality).
3.8 If the Data Processor or Data Processor personnel are required by Law and/or an order of any court or competent jurisdiction or any regulatory, judicial or governmental body to disclose the Personal Data, the Data Processor shall, except where prohibited by Law, first:
(i) give the Data Controller notice of the details of the proposed disclosure;
(ii) give the Data Controller a reasonable opportunity to take any steps it considers necessary to protect the confidentiality of the Personal Data including but not limited to seeking such judicial redress as the Data Controller may see fit in the circumstances;
(iii) give any assistance reasonably required by the Data Controller to protect the confidentiality of the Personal Data; and
(iv) inform the proposed disclosee that the information is confidential.
3.9 Without limiting the Data Processor's other obligations under these terms, the Data Processor shall not engage any third-party processors to Process Personal Data without the prior written consent of the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by If the Data Controller or its authorised representativesProcessor engages any third party to Process any Personal Data, the Data Processor shall impose on requestsuch third party, by means of a written contract, the same data protection obligations as set out in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise these terms.
3.10 The Data Processor shall inform the Data Controller of any significant change in intended changes concerning the risk addition or replacement of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; the any third-party processors and If pursuant to shall not make any law or regulation affecting such changes without the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status prior written consent of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly Controller.
3.11 The Data Processor shall remain liable to the Data Controller or to grant for Processing by such third parties as if the Processing was being conducted by the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with Processor.
3.12 The Data Processor acknowledges and agrees that the Data Controller’s reasonable requests in connection with efforts Processor or Data Processor personnel may not transfer Personal Data to any Third Country except to the extent that the transfer is expressly approved by the Data Controller in writing. If personal data processed under these terms is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter aliapersonal data is adequately protected. To achieve this, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary AgreementParties shall, unless otherwise agreed between otherwise, rely on EU approved standard contractual clauses for the Parties in writingtransfer of personal data.
Appears in 1 contract
Samples: Data Processing Agreement
Data Processing. The In consideration of the undertakings provided by the Data Controller in clause 4, the Data Processor agrees to process Process the Personal Data to which this Supplementary Agreement appliesDPA applies in accordance with the terms and conditions set out in this DPA, and in particular the Data Processor agrees that it shall: process the Personal Data at all times in accordance with the terms Data Protection Laws and conditions set out in this Supplementary Agreement and where solely for the standards imposed purposes (connected with provision by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services Services) and in the manner specified from time to time by the Data Controller; Controller in writing and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; in a manner consistent with the Data Protection Laws and with any guidance issued by the Data Protection Commissioner, implement appropriate technical and organisational measures (as documented by the Data Processor in Appendix 2 to safeguard the Personal Data from unauthorised or unlawful processing Processing or accidental loss, destruction or damage in compliance with best industry standardsdamage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; implement the appropriate organisational and technological solutions in accordance order to assist the Data Controller promptly with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A any and all issues which may arise in relation to the Main Agreement)processing of the personal data, regard including the resolution of any complaints, the detection and reporting of any breach and the timely response to subject access requests which may be received from Data Subjects to whom the Personal Data refers; ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the Personal Data and that all such employees shall have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of the Personal Data; ensure that each of its agents and subcontractors (as confidential data listed by the Data Processor in Schedule 1) are made aware of its obligations under this DPA with regard to the security and protection of the Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this DPA; not disclose such data divulge the Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written authorization consent of the Data Controller except to any person other than to those of its employees, agents or and subcontractors to whom disclosure is necessary for who are engaged in the performance Processing of the Services, except (Data and are subject to Section 2.2 belowthe binding obligations referred to in clause 3.1(c) or except as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expenseregulation; in the event of the exercise by Data Subjects of any of their rights under the Data Protection Laws in relation to their Personal the Data, inform the Data Controller as soon as possible, and the Data Processor further agrees to assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process Process or transfer the Personal Data outside of the country of its registered office European Union except with the express prior written consent authority of the Data Controller pursuant to a request Controller, where such authority constitutes correct signing of the Standard Contractual Clauses as provided in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of originSchedule 2; permit and procure that allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Data Controller or its authorised representatives, on request, representatives in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingDPA.
Appears in 1 contract
Samples: Data Processor Agreement
Data Processing. 2.1 The Data Processor agrees to process parties agree that as between them, for the Personal Data to which this Supplementary Agreement applies, and in particular purpose of the Data Processor agrees that Protection Legislation, Buyer shall be deemed the controller and Cimple shall be deemed the processor in relation to any Controller’s Data processed by Cimple (or its Sub-processors) under this DP Annex or for the purpose of these T&Cs and it shall: process shall be the Personal Data in accordance responsibility of Buyer to ensure compliance with the terms and conditions set out in this Supplementary Agreement and where the standards obligations imposed by the data protection legislation regulating Data Protection Legislation on the Data Processor processing controller of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; Controller’s Data.
2.2 Cimple shall process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between DP Annex (including the Data Controller Processing Details) and Applicable Laws and solely for the Permitted Purposes.
2.3 Cimple shall process the Controller’s Data Processor to procure the availability on behalf of the Personal Data at all times Buyer and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply in accordance with the obligations written instructions of Buyer unless required otherwise by law or upon the Data Processor requirement of a governmental authority under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal DataApplicable Law. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve Buyer hereby authorises Cimple to process the Controller’s Data as set out in the Data Processor Processing Details and as required to fulfil Cimple’s obligations under these T&Cs.
2.4 In the event that Cimple is required by law in upon the requirement of its obligation a governmental authority under Applicable Law to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with carry out any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Controller’s Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent instructions of Buyer, Cimple shall inform Buyer of that legal requirement before carrying out the processing, unless that law prohibits such information on important grounds of public interest.
2.5 Cimple shall treat the Controller’s Data processed under this DP Annex as Buyer Confidential Information in accordance with clause 16 of the T&Cs and shall ensure that its employees, consultants, Sub-processors, affiliates and other persons authorised by Cimple to process the Controller’s Data Controller are bound by confidentiality obligations (whether contractual or to comply with a court order. For imposed under Applicable Law) in respect of the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of such data.
2.6 Buyer acknowledges and agrees that, in respect of any Personal Data received from Buyer, Cimple will rely on Buyer and the Data Processor procures that the promotion or offer of services it is not in any manner associated to the Data Controller or the Data ControllerBuyer’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller sole responsibility to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s statusData is and will remain accurate, including its privileges up-to-date, relevant and immunities; where suitable for the Data Processor purpose of processing and that it is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request processed for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller lawful purposes in accordance with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingApplicable Laws.
Appears in 1 contract
Samples: Buyer Terms and Conditions
Data Processing. The 3.1 In consideration of the undertakings provided by the Data Controller in clause 4, the Data Processor agrees to process Process the Personal Data to which this Supplementary Agreement appliesagreement applies by reason of clause 2 in accordance with the terms and conditions set out in this agreement, and in particular the Data Processor agrees that it shall: process :
(a) Process the Personal Data at all times in accordance with the terms Act and conditions set out in this Supplementary Agreement and where solely for the standards imposed purposes (connected with provision by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services Services) and in the manner specified from time to time by the Data Controller; Controller in writing and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; ;
(b) in a manner consistent with the Act and with any guidance issued by the UK and/or the Scottish Information Commissioner, implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing Processing or accidental loss, destruction or damage in compliance with best industry standardsdamage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance ;
(c) ensure that each of its employees, agents and subcontractors are made aware of its obligations under this agreement with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A regard to the Main Agreement)security and protection of the Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this agreement;
(d) not divulge the Data whether directly or indirectly to any person, regard Personal Data as confidential data and not disclose such data firm or company or otherwise without the express prior written authorization consent of the Data Controller except to any person other than to those of its employees, agents or and subcontractors to whom disclosure is necessary for who are engaged in the performance Processing of the Services, except (Data and are subject to Section 2.2 belowthe binding obligations referred to in clause 3.1(c) or except as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; regulation;
(e) in the event of the exercise by Data Subjects of any of their rights under the Act in relation to their Personal the Data, inform the Data Controller as soon as possible, and the Data Processor further agrees to assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use ;
(f) in the Personal Data of Data Subjects to contact, communicate or otherwise engage with event that the Data Subjects including transmission Processor receives a request for any information contained in the Data pursuant to Freedom of any marketing Information Xxx 0000, the Freedom of Information (Scotland) Xxx 0000 or other commercial communications the Environmental Information Regulations (Scotland) 2004, not to respond to the Data Subjects, except in accordance with the written consent of person making such request but to inform the Data Controller or to comply with a court order. For the avoidance of doubtwithin two (2) working days, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated further agrees to assist the Data Controller or with all such requests for information which may be received from any person within such timescales as may be prescribed by the Data Controller’s services; ;
(g) not process Process or transfer the Personal Data outside of the country of its registered office United Kingdom except with the express prior written consent authority of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that and
(h) allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Data Controller or its authorised representatives, on request, representatives in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writingagreement.
Appears in 1 contract
Samples: Data Processing Agreement
Data Processing. 2.1 The parties acknowledge that the Services may involve the collection and/or use of data, some of which may constitute personal data, personal information, personal identifiable information or equivalent term (“Personal Information”) as defined under applicable data protection laws and regulations, including the EU General Data Processor agrees Protection Regulation 2016/679 (“Applicable Law”).
2.2 Supplier and Oracle shall each be responsible for the Processing of Personal Information under their control in the context of Supplier delivering the Services described in the Services Contract. Each party will comply with its respective controller obligations under Applicable Law.
2.3 With respect to process the Processing Personal Data to which this Supplementary Agreement appliesInformation, Supplier shall, and in particular shall ensure that any person Processing Personal Information on Supplier’s behalf shall:
(a) Process Personal Information only to deliver the Data Processor agrees that it shall: process the Services, and shall not Process Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and Information for no other purpose or in any other manner except with purpose, unless Supplier obtains Oracle’s or the individual’s express prior written consent of the Data Controller; implement for such Processing activities.
(b) Implement appropriate technical and organisational organizational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm risk and comply, except as otherwise specified by Oracle in the Services Contract, with the Oracle Supplier Information and Physical Security Standards, including any appendices (“OSSS”) and with the Oracle Supplier Code of Ethics and Business Conduct (“OSCoE”). Oracle may update the OSSS and/or OSCoE at its discretion. Supplier shall consult the most recent versions of the OSSS and OSCoE on xxxx://xxx.xxxxxx.xxx/corporate/supplier/index.html.
(c) Regularly audit its own business processes and procedures that might result involve the Processing of Personal Information under the Agreement for compliance with Applicable Law.
(d) Where the Services involve Supplier receiving or collecting Personal Information directly from unauthorised or unlawful processing or accidental lossindividuals, destruction or damage Supplier shall provide notice to individuals and obtain consent as required under Applicable Law for the relevant purpose(s).
(e) Unless expressly prohibited by Applicable Law, promptly notify Oracle of any requests for disclosure of Personal Information Processed by Supplier in relation to the nature Services Contract by law enforcement, state security bodies, or other public authorities.
(f) Promptly take adequate steps to remedy any noncompliance with the Agreement and/or Applicable Law regarding the Processing of Personal Information.
(g) Promptly, but at the latest, within 24 hours of any security incident involving the Services or Personal Information, report such security incidents to Oracle.
(h) Promptly notify and forward to Oracle if an individual submits a request or complaint to Supplier with regards to a Processing activity under the control of Oracle and refrain from responding to the individual’s request.
2.4 Where the Services involve a Transfer of Personal Information from:
(a) A member state of the Personal European Economic Area (‘’EEA”) or Switzerland, to a Supplier location outside the EEA or Switzerland that has not received a binding adequacy decision by the European Commission, such Transfers are subject to an unmodified set of the 04 June 2021 EU Controller to Controller Model Clauses (Module 1: Controller to Controller) (or any successor Model Clauses) of which the body and Annex A is incorporated by reference to this Agreement, and the preamble thereto and Annex B are attached (Annex I);
(b) The United Kingdom (UK) to a Supplier location outside of the UK that has not received a binding adequacy decision by the Information Commissioner’s Office (ICO) such Transfers are subject to an unmodified set of the EU Model Clauses (Module 1: Controller to Controller) (or any successor Model Clauses) of which the body and Annex A is incorporated by reference to this SDPA-C, and the preamble thereto and Annex B are attached (Annex I) as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) (or any successor UK Model Clauses) of which the body is herein attached (Annex II) .
(c) Argentina to Supplier located outside Argentina, such Transfers will be protected; governed by an unmodified set of Argentinian Model Clauses of which the body is incorporated by reference to this Agreement, and its Annex A is attached (Annex III);
(d) Other jurisdictions subject to data Transfer restrictions, Supplier will implement appropriate Transfer safeguards in accordance with Article 13 Applicable Law. Supplier will provide Oracle with a copy of UNHCR General Conditions of Contract for the Provision of Services (Annex A relevant Transfer mechanism and/or related data protection provisions promptly upon request; If the Supplier Processes Personal Information pursuant to the Main AgreementCalifornia Consumer Privacy Act as amended (“CCPA”), regard Personal Data as confidential data and not disclose such data without the prior written authorization terms of the Data Controller Oracle Supplier CCPA Service Provider Addendum (“CCPA Addendum”) attached here as Annex IV, shall apply. The CCPA Addendum is effective solely to any person other than the extent the CCPA applies to its employeesSupplier’s processing of Oracle Personal Information of natural persons who are residents of California, agents or subcontractors to whom disclosure is necessary for the in Supplier’s performance of the Services, except . The effective date of this SDPA-C is . By: By: Name (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security Print): Name (Print): Title: Title: Signature Date: Signature Date:
1. The unmodified set of the Clauses identified as corresponding to Module 1 in the Implementation Decision adopted by the Commission on June 4th, 2021, of which body is incorporated by reference to this SDPA-C and the annexes herein, applies to the Processing of Personal Data including establishing organisational policies for employeesInformation by the Supplier in its role as a Controller as part of the provision of Services under the Agreement, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller Supplier and Data Processor to procure the availability of the Oracle, where such Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as Information is reasonably required Processed by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to Supplier and/or a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it Supplier Affiliate in a format and or a media reasonably specified by third country outside the EU/EEA that has not received an adequacy finding under Applicable European Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court orderProtection Law.
2. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, Only to the extent permissible by law, seek applicable with regards to contest or challenge the demand or request based on, inter aliaProcessing of Swiss Personal Information, the Parties wish to clarify that (1) references to EU member states in these Clauses shall not be interpreted in such a way that data subjects in Switzerland are excluded from exercising their rights at their habitual residence in Switzerland, (2) these Clauses also protect data pertaining to legal entities as long as the Swiss Federal Act of 19 June 1992 on Data Controller’s statusProtection, as amended, including its privileges the Ordinance to the FADP, remain in force; and immunities; where that (3) the Data Processor Swiss Regulator is prohibited by applicable law or the governmental body from notifying competent authority for the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies purposes of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 1 contract
Samples: Supplier Data Protection Agreement
Data Processing. 3.1 The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular the Data Processor agrees that it shall: process Process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement DPA, and where the standards imposed by the data protection legislation regulating in particular the Data Processor processing undertakes:
3.1.1 to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller's instructions for Data Processor to perform pursuant to the LICENSE, and all applicable data protection laws (“Processing Services”);
3.1.2 to ensure that any personnel entrusted with the Processing Services have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.3 to take technical, physical and organizational measures to ensure the security and confidentiality of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the and appropriately protect Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent Processed on behalf of the Data Controller; implement appropriate technical Controller against misuse and organisational measures to safeguard loss;
3.1.4 that it will promptly notify the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing Controller about: (a) any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature legally binding request for disclosure of the Personal Data by a government authority unless otherwise prohibited, such as a prohibition under criminal law to be protected; in accordance with Article 13 preserve the confidentiality of UNHCR General Conditions of Contract for the Provision of Services a law enforcement or intelligence investigation, (Annex A to the Main Agreement), regard b) any Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation Breach affecting the Data Processor; implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and processed by Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request on behalf of the Data Controller, restore (c) any request received by Data Processor directly from the Data Subjects (including and Data Subject rights under Data Protection Laws such as the right to access, rectification, deletion, objection, restriction, data transfer); the Data Processor (i) will not respond directly to that request, except to notify the Data Subject that it is acting on behalf of the Data Controller and to furnish the Data Subject with the contact information of the Data Controller, and (ii) taking into account the nature of the Processing, will assist the Data Controller by appropriate technical, physical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights;
3.1.5 to provide commercially reasonable cooperation to the Data Controller to assist the Data Controller comply with its own legal obligations related to Personal Data Processed by Data Processor, such as: notification of a Personal Data Breach to the competent supervisory authority, communication of such Personal Data at its own expense; in Breach to the event Data Subjects affected and, where applicable, implementation of data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the exercise Processing and the information available to the Data Processor;
3.1.6 to make available to the Data Controller all information necessary to prove compliance with the obligations laid out in this DPA and allow for and contribute to audits, including inspections, conducted by the Data Subjects of any rights in relation to their Personal Data, inform Controller or another auditor mandated by the Data Controller as soon as possibleset forth in Section 6; and
3.1.7 that any Processing Services carried out by a Subprocessor will be carried out in accordance with Section 6.
3.2 With respect to the Processing Services, assist the Data Controller will be responsible for complying with all data subject information requests requirements that apply to it under Data Protection Laws regarding the Processing of Personal Data and the Instructions it issues to the Data Processor. In particular but without prejudice to the generality of the foregoing, the Data Controller acknowledges and agrees that it will be solely responsible for the following: (i) the accuracy, quality, and legality of Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable law for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or complaints which may be received from otherwise; (iii) ensuring the Data Controller has the right to transfer, or provide access to, the Personal Data to the Data Processor and that the Data Controller has provided any Data Subject required notifications and obtained any required consents and/or authorizations in relation to any Personal Data; not use the Personal Data of Data Subjects to contactthat transfer or access and, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjectsmore generally, except for Processing in accordance with the written consent terms of the LICENSE (including this DPA); and (iv) ensuring that its Instructions comply with applicable laws. Upon request from the Data Processor, the Data Controller shall provide to the Data Processor within three (3) business days written evidence of such notifications, consents and authorizations. The Data Controller will not input into the Processing Services, or otherwise provide the Data Processor, with any sensitive or special categories of Personal Data, as defined in Data Protection Laws, unless otherwise agreed to separately in writing by the Data Controller. The Data Controller will inform the Data Processor, immediately and without undue delay, if Data Controller is not able to comply with a court orderits responsibilities set forth in this DPA.
3.3 The Data Controller authorizes the Data Processor to anonymize the Personal Data Processed pursuant to the LICENSE in order to derive analytics data relating to the use of SOFTWARE and the LICENSOR’S products and services. For Further use of the avoidance of doubt, resulting analytical data by the Data Processor is not prohibited subject to prior authorization from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 1 contract
Samples: Software License Agreement
Data Processing. 2.1. The Data Processor agrees to process the Personal Data to which this Supplementary Agreement applies, and in particular the each Data Processor agrees that it shall: :
(a) process the Personal Data in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of the Personal Data are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; ;
(b) process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller; and for no other purpose or in any other manner except with the express prior written consent of the Data Controller; ;
(c) implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services ;
(Annex A to the Main Agreement), regard d) Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by any law or regulation affecting the Data Processor; ;
(e) implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including establishing organisational policies for employees, agents and subcontractors aimed at complying with the Data Processor’s duties to safeguard the Personal Data in accordance with this Supplementary Agreement; ;
(f) implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ;
(g) ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; ;
(h) comply with any request from the Data Controller to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; ;
(i) should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; ;
(j) promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; ;
(k) in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, ,
(l) assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; ;
(m) not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; ;
(n) not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data For the avoidance of doubt, such consent will not be shared with beneficiaries’ granted should a request be made to transfer the Personal Data to a country which is not a party to the Convention on the Privileges and Immunities of origin; the United Nations of 1946;
(o) permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Supplementary Agreement; ;
(p) advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and and
2.2. If pursuant to any law or regulation affecting the a Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: :
(a) promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; ;
(b) inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); ;
(c) request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; ;
(d) cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent permissible by law, seek to contest or challenge the demand or request based on, inter alia, the Data Controller’s status, including its privileges and immunities; ;
(e) where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, notify the Data Controller promptly upon the lapse, termination, removal or modification of such prohibition; ;
(f) provide the Data Controller with true, correct and complete copies of the governmental body’s demands and requests, the Data Processor’s responses thereto, and keep the Data Controller informed of all developments and communications with the governmental body.
2.3. The obligations and restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the term of this Supplementary Agreement, including any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the Parties in writing.
Appears in 1 contract
Samples: Supplementary Agreement