DATA PROCESSOR’S OBLIGATIONS Sample Clauses

DATA PROCESSOR’S OBLIGATIONS. 4.1 The Parties agree that the subject-matter and duration of Processing performed by the Data Processor under this Processing Agreement and the Purchase Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Exhibit A. 4.2 As part of the Data Processor providing the Services to the Data Controller under the Purchase Agreement, Data Processor shall comply with the obligations imposed upon it under GDPR Articles 28 - 32 and agrees and declares as follows: (a) The Data Processor shall process Personal Data in accordance with the instructions set forth in this Processing Agreement; (b) the Data Processor shall ensure that all staff and management of the Data Processor are fully aware of their responsibilities to protect Personal Data in accordance with this Processing Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with GDPR Article 28(3)(b); (c) the Data Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (Data Security Breach), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including data security consistent with the Humly’s Data Security Standards; (d) the Data Processor shall notify the Data Controller in accordance with GDPR Article 33(2), without undue delay but in any event within 48 hours, in the event of a confirmed Data Security Breach affecting the Data Controller’s Services Data and to cooperate with the Data Controller as necessary to mitigate or remediate the Data Security Breach. Further, the Data Processor shall cooperate with the Data Controller and take such commercially reasonable steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of any such Data Security Breach under GDPR; (e) the Data Processor shall comply with the requirements of Clause 5 when engag...

DATA PROCESSOR’S OBLIGATIONS. 3.1. The Data Controller determines the purposes of Processing Client Personal Data for the provision of the Service. 3.2. In relation to the provision of the Service, the Data Processor undertakes to adhere to the following obligations including those defined in Annexes 1 and 2 attached hereto: a) The Data Processor Processes the Client Personal Data only as necessary to provide the Service, subject to the Data Controller’s written instructions in the present DPA; b) The Data Processor notifies the Data Controller in case it considers a Data Controller’s written instruction to breach Applicable Data Protection Laws. In no case is the Data Processor under the obligation of performing a comprehensive legal examination with respect to a Client’s written instruction; c) Register as Data Processor notifies the Data Controller without undue delay of any contact or communication it receives from a Supervisory Authority in relation to the Processing of Client Personal Data. In this regard, the Parties acknowledge and agree that the responsibility for replying to such requests rests on the Data Controller and not on the Data Processor; d) The Data Processor has implemented operational, technical and organizational measures, including as described in Annex 2 hereto, aimed at protecting the Client Personal Data. The Parties acknowledge and agree that the Data Processor is specifically allowed to implement adequate alternative measures or use alternative locations as long as the security level of the measures or of the locations is maintained or strengthened compared to the declared measures; e) In case the Data Processor discloses Client Personal Data to its personnel directly and exclusively involved in the performance of the Service, the Data Processor ensures that such personnel: i) is committed to confidentiality or is under an appropriate statutory obligation of confidentiality and;

DATA PROCESSOR’S OBLIGATIONS. 5.1 The Data Processor shall process the Personal Data: (i) in compliance with this PDP Annex and, generally, and the level of protection resulting from the Data Privacy Regulations then in force; (ii) solely for the Agreed Purpose of Processing; (iii) solely in the Agreed Territory; (iv) without exceeding the Agreed Retention period; (v) in such a way as to minimise, by means of suitable preventive security measures, the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, or Processing operations that are either unlawful or inconsistent with the Agreed Purpose. 5.2 The Data Processor shall promptly investigate any reasonable suspicion of Personal Data Breach and act in accordance with Section 12 below. 5.3 The Data Processor shall cooperate with the Data Controller to enable the latter to guarantee to every Data Subject or his/her delegates the possibility to exercise the rights granted to him/her by the Data Privacy Regulations. The Data Processor acknowledges that Data Subject rights shall be exercised only through the Data Controller. Therefore, the Data Processor undertakes to immediately notify the Data Controller of any request that Data Subjects, address directly to the Data Processor, and will not respond to any such request or take any other related action, until authorised by the Data Controller. 5.4 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes any provision on the Processing of Personal Data under the present Agreement.

DATA PROCESSOR’S OBLIGATIONS. The Data Processor acts solely on behalf of and on instructions from the Data Controller in connection with the performance of the agreed Project tasks. The Data Controller thus decides the purposes for which the processing of personal data may take place. The Data Processor undertakes to comply with the Data Protection Rules. Among other things, the Data Processor must (list not exhaustive): Process personal data in accordance with the general principles laid down in Art. 5 of the General Data Protection Regulation. Assist the Data Controller in complying with and protecting the rights of the data subject(s). Prepare a record of processing activities, cf. Art 30(2) of the General Data Protection Regulation. Upon request, the Data Processor must provide the Data Controller with sufficient information to allow the Data Controller to ensure that appropriate technical and organisational security measures have been implemented. Among other things, this includes information about where the personal data are located, as well as physical access to the personal data, if so required by the Data Controller. The Data Processor must ensure that only persons who have a need for such information for the purpose of fulfilling the purpose of the agreement and instructions have access to the personal data. The Data Processor must not, except when instructed by the Data Controller, disclose data which come into the possession of the Data Processor in connection with the performance of the Data Processor’s task. Moreover, the Data Processor must not use or process data from the data processing task for their own purposes or for purposes other than those stipulated by the Data Controller. If, in contravention of this agreement, the Data Processor processes data for their own purposes or for purposes other than the purposes stipulated by the Data Controller, an independent legal basis must exist, and the Data Processor will have the independent status of Data Controller for such processing. If the Data Controller finds that an impact assessment must be carried out, cf. Art. 35 of the General Data Protection Regulation, the Data Processor must contribute to carrying out this impact assessment, if so requested by the Data Controller. The Data Processor must implement appropriate technical and organisational security measures, cf. Art. 32 of the General Data Protection Regulation, to protect the personal data against accidental or unlawful destruction, loss or deterioration, and ...

DATA PROCESSOR’S OBLIGATIONS. 7.1. The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data (each, an “Instruction”). 7.2. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller. 7.3. At the Data Controller’s request, the Data Processor will provide reasonable assistance to the Data Controller in responding to/ complying with requests/ directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding Data Processor’s Processing of Personal Data. 7.4. In relation to the Personal Data, Data Processor shall obtain consent (where necessary) and/or provide notice to the Data Subject in accordance with Data Protection Laws to enable shared Personal Data to be provided to, and used by, the other Party as contemplated by this Agreement. 7.5. Where shared Personal Data is transferred outside the Data Processor’s territorial boundaries, the transferor shall ensure that the recipient of such data is under contractual obligations to protect such Personal Data to the same or higher standards as those imposed under this Addendum and the Data Protection Laws. 7.6. The processor shall inform the controller if, in its opinion, a processing instruction infringes applicable legislation or regulation. 7.7. As A Data Processor ,taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the data controller in conducting any necessary Data Protection Impact Assessments (DPIAs), as required under GDPR.

DATA PROCESSOR’S OBLIGATIONS. At every stage and for every operation of the processing, the Processor must guarantee the respect of the EU principles (such as privacy by design and by default) and the national ones in the field of personal data protection. Specifically, the Processor must: a) Assist the Data Controller with adequate technical and organisational measures, in order to comply with the Data Controller’s duty to follow-up on any information requests made by data subjects, by informing the Data Controller as soon as possible about the received complaints from the data subjects; b) Provide the Data Controller with all the necessary information in order to demonstrate compliance with the current appointment, allowing and contributing for the revision activities, including inspections, undertaken by the Data Controller or by its Data Protection Officer, or by another subject so commissioned; c) Assist the Data Controller in ensuring the compliance with obligations provided for by the articles 35-36 of the GDPR. Specifically, with regards to the establishment of a Data Protection Impact Assessment, if the Data Processor supplies the Data Controller with means/software and/or manages them whilst they belong to the Data Controller, the Data Processor will be obliged to provide and update the risk analysis (probability of a security violation) of the means/software, and notify the Data Controller in compliance with the criteria given by the latter; d) Inform the Data Controller whenever, in its opinion, an instruction violated the Regulation or other provisions, nationals or EU, relating to the protection of personal data; e) Comply with the provisions coming from the Authority and collaborates with the Data Controller in order to implement the provisions it has been given; f) Assist the Controller in its defence during litigation before the Authority, on the Data Controller’s request and expenses; g) Proceed to appoint a Data Protection Officer (hereinafter, “DPO”), in the cases provided for by the article 37 of the GDPR, and in accordance with the criteria for selection set out by the GDPR, of its related guidelines of Article 29 Working Party, as well as the instructions provided for by the Authority, warranting for the compliance with the provisions referred to in article 39 of the GDPR; h) Provide for the arrangement of the Record of Processing Activities as provided for by article 30 of the GDPR, keeping it at the disposal of the Data Controller, or the Authority, if requeste...

DATA PROCESSOR’S OBLIGATIONS. 1. The Data Processor processes personal data under effective agreements only, with the purpose, nature and scope of data processing being subject exclusively to the Data Controller’s directions. The Data Processor may not transfer personal data to third parties. Data Processor shall, upon Data Controller´s request, provide to Data Controller all information on Data Controller´s personal data and information. In its processing of data, the Data Processor may deviate from such directions only to the extent that the Data Controller has consented thereto in writing. 2. The Data Processor will assist the Data Controller with the implementation as well as the full and swift completion of controls. Where Data Controller, based upon applicable data protection law, is obliged to inform an individual about the collection, processing or use of its personal data, Data Processor shall assist Data Controller in making this information. 3. The Data Controller shall retain title as to any carrier media provided to Data Processor as well as any copies or reproductions thereof. Data Processor shall store such media safely and protect them against unauthorized access by third parties. Documents and files containing personal data that are no longer needed must not be deleted without the Data Controller’s prior consent. 4. The Data Processor hereby confirms that it has appointed a privacy officer, and undertakes to identify the privacy officer to the Data Controller in writing (electronic mail being admissible). 5. For purposes of proper personal data processing, the Data Processor represents and warrants that all agreed measures will be implemented as intended. 6. The Data Processor must ensure that its enterprise and the course of its operations are aligned with the objective of protecting the data processed on the Data Controller’s behalf as required – e.g., against unauthorized third-party access. Upon Data Controller´s request, Data Processor shall provide a comprehensive and current personal data protection and security program covering processing hereunder. The Data Processor will duly consult the Data Controller before implementing any changes to the system of processing the Data Controller’s data, provided such changes affect data security. 7. The Data Processor will promptly notify the Data Controller if and when it deems the latter’s directions to be in violation of applicable law, and the Data Processor may put off following any such direction until it is confirme...

DATA PROCESSOR’S OBLIGATIONS. 4.1 In respect of the Processing of Personal Data by the Data Processor, or Data Processor Personnel, under or in connection with the Agreement or the Services, the Data Processor warrants that it shall, and shall procure that the Data Processor Personnel shall: (a) only Process the Personal Data on behalf of the Data Controller in accordance with, and for the purposes set out in the Agreement, or otherwise in accordance with any written instructions received from the Data Controller from time to time. Under no circumstances shall the Data Processor use or process Personal Data for any other purpose without the prior written agreement or instructions of the Data Controller; (b) permit the Data Controller, upon written request, to audit the Data Processor and obtain information reasonably necessary for the purposes of monitoring compliance with the Data Protection Laws. Such inspection shall not relieve the Data Processor of any of its obligations under the Agreement; (c) not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Data Controller. For the purposes of this clause, the Data Processor is permitted to disclose Personal Data to the following third parties as reasonably necessary in providing the Services under the Agreement: (i) to the auditors or legal counsel of the Data Controller; and (ii) to other entities within the Wilmington Trust group for normal data backup practices as permitted in accordance with Data Protection Laws; (d) implement appropriate technical and organisational measures to: (i) protect the Personal Data against unauthorised or unlawful Processing and against accidental or unlawful loss, destruction, damage, alteration, or disclosure, (ii) comply with the Data Protection Laws, and (iii) ensure the protection of the rights of the Data Subject, in particular the rights contained in Articles 12 to 23 of the GDPR; (e) process the Personal Data in accordance with the Data Protection Laws (as applic able) and not permit anything to be done which might cause the Data Controller in any way to be in breach of the Data Protection Laws; (f) co-operate and assist with, as requested by the Data Controller, and put appropriate technical and organisational measures in place to enable, the Data Controller to comply with any exercise of rights by a Data Subject under the Data Protection Law...

DATA PROCESSOR’S OBLIGATIONS. 4.1 To the extent that the Data Processor processes Personal Data in the course of providing the Services, each party acknowledges that, for the purposes of the Data Protection Legislation the Data Processor is the processor of any Personal Data. 4.2 The Data Processor may collect, process or use Personal Data only within the scope of this DPA. 4.3 The Data Processor confirms that it shall process Personal Data on behalf of the Data Controller in accordance with the documented instructions of the Data Controller. 4.4 The Data Processor shall promptly inform the Data Controller, if in the Data Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Data Controller, breach any Data Protection Legislation. 4.5 The Data Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: 4.5.1 Are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; 4.5.2 Have received appropriate training on their responsibilities as a data processor; and 4.5.3 Are bound by the terms of this DPA. 4.5.4 The Data Processor shall implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 4.6 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 4.6.1 the pseudonymisation and encryption of Personal Data; 4.6.2 the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; 4.6.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; 4.6.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 4.7 The te...

DATA PROCESSOR’S OBLIGATIONS. 6.1 As set out above in Clause 4, We the Data Processor shall only process the Personal Data to the extent and in such a manner as is necessary for the purposes of the Services and not for any other purpose. Any additional instructions to those agreed and given by the Data Controller to Us the Data Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation. We the Data Processor shall act only on such written instructions from you the Data Controller unless the Data Processor is required by domestic law to do otherwise (as per Article 29 of the UK GDPR) (in which case, We the Data Processor shall inform you the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law). 6.2 We the Data Processor shall not process the Personal Data in any manner which does not comply with the provisions of this Agreement or with the Data Protection Legislation. 6.3 We the Data Processor shall promptly comply with any written request from you the Data Controller requiring Us the Data Processor to amend, transfer, delete (or otherwise dispose of), or to otherwise process the Personal Data. 6.4 We the Data Processor shall promptly comply with any written request from you the Data Controller requiring Us the Data Processor to stop, mitigate, or remedy any unauthorised processing involving the Personal Data. 6.5 We the Data Processor shall provide all reasonable assistance to you the Data Controller in complying with its obligations under the Data Protection Legislation including, but not limited to, the protection of Data Subjects’ rights, the security of processing, the notification of Personal Data Breaches, the conduct of data protection impact assessments, and in dealings with the Information Commissioner (including, but not limited to, consultations with the Information Commissioner where a data protection impact assessment indicates that there is a high risk which cannot be mitigated). 6.6 For the purposes of sub-Clause 6.5, “all reasonable assistance” shall take account of the nature of the processing carried out by Us the Data Processor and the information available to Us the Data Processor. 6.7 In the event that We the Data Processor become aware of any changes to the Data Protection Legislation that may, in its reasonable interpretation, adversely impact its performance of the Services and the processing of the Personal Data under...