Common use of Data Protection Act Clause in Contracts

Data Protection Act. 17.1 For the purposes of this Clause 17.1, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) Process the Personnel Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified by the Authority; (b) comply with all applicable laws; (c) Process the Personal Data only to the extent; and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents who may have access to the Personal Data; (f) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure that all staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) ensure that none of the staff and agents publish disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 11.2.9.1 providing the Department with full details of the complaint or request; 11.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 11.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 11.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-Contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 11.2.9.1 providing the Department with full details of the complaint or request; 11.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 11.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 11.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-Contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-Contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.17, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 7.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 7.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 7.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 7.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 7.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 7.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 7; (i) ensure 7.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 7.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) 7.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or (b) 7.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 7.2.9.1 providing the Department with full details of the complaint or request; 7.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 7.2.9.3 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 7.2.9.4 providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 7.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 7.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure. 7.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which shall be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data shall be Processed and/or to which the Personal Data shall be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who shall be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor shall ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that shall be Processed and/or transferred outside the European Economic Area; 7.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 7.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who shall be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 7.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 For the purposes of this Clause 17.15.2, the terms “"Data Controller”", “"Data Processor”", “Data Subject”, “"Personal Data”", “"Process” " and “Processing "Processing" shall have the meaning meanings prescribed under the DPA. 17.2 . The Prime Contractor shall (and shall ensure procure that all of its the Staff) comply with any notification requirements under the DPA and both Parties will duly observe all of their obligations under the DPA which arise in connection with the Contract. 17.3 . With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Contracting Body is the Data Controller and that the Prime Contractor is the Data Processor. Notwithstanding the general obligation in clause 17.2Clause 5.2.2, where the Prime Contractor is processing Processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Contracting Body the Prime Contractor shall: (a) shall:- Process the Personnel Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature) Contracting Body as set out in this the Contract or as otherwise notified by the Authority; (b) Contracting Body; comply with all applicable laws; (c) ; Process the Personal Data only to the extent; , and in such manner as is necessary for the provision of the Provider’s Prime Contractor's obligations under this Contract or as is required by Law or any Regulatory Body; (d) the Contract; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) ; take reasonable steps to ensure the reliability of its staff and agents all Staff who may have access to the Personal Data and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of Personal Data; (f) ; obtain prior written consent from the Authority Approval in order to transfer the Personal Data to any sub- contractor agents, Sub-contractors or suppliers for the provision of the Services; Services (gsave that where Approval of any Sub-contractor has been granted by the Contracting Body pursuant to Clause 6.1 (which shall include the Approval of such Sub-contractor’s security plan) the Prime Contractor shall be entitled to transfer the Personal Data to such Sub-contractor without obtaining Approval pursuant to this Clause 5.2.3 (f)); not Process or otherwise cause or permit the Personal Data to be transferred outside of the European Economic Area without Approval. If, after the prior consent Commencement Date, the Prime Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside of the Authority; (h) European Economic Area, the following provisions shall apply:- the Prime Contractor shall comply with then-current Contracting Body, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and the Prime Contractor shall comply with such other instructions and shall carry out such other actions as the Contracting Body may notify in writing. ensure that all staff and agents Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) Clause 5.2; ensure that none of the staff and agents publish Staff publish, disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority Contracting Body; not disclose Personnel the Personal Data to any third parties in any circumstances other than with the written consent of the Authority Contracting Body or in compliance with a legal obligation imposed upon the AuthorityContracting Body; and 17.4 notify the Authority Contracting Body within five (within [five] 5) Working Days) Days if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.receives:-

Data Protection Act. 17.1 11.1 For the purposes of this Clause 17.1clause 11, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPAData Protection Act. 17.2 11.2 The Contractor shall (and shall ensure that all of its the Contractor’s Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contractthis Framework Agreement. 17.3 11.3 Notwithstanding the general obligation in clause 17.211.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Lead Procurer, the Contractor shall: (a) Process the Personnel Personal Data only in accordance with instructions from the Authority Lead Procurer (which may be specific instructions or instructions of a general nature) as set out in this Contract Framework Agreement or as otherwise notified by the AuthorityLead Procurer; (b) comply with all applicable lawsLaws; (c) Process the Personal Data only to the extent; extent and in such manner as is necessary for the provision of the Provider’s obligations under this Contract Framework Agreement or as is required by Law or any Regulatory Bodyregulatory body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful access, disclosure and Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful access, Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents the Contractor’s Staff who may have access to the Personal DataData (at a minimum by performing adequate screening of Contractor’s Staff as per clause 4.3.6 of this Framework Agreement); (f) obtain prior written consent from the Authority Lead Procurer in order to transfer the Personal Data to any sub- sub-contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred transferred, stored, accessed, viewed or Processed outside of the European Economic Area country where the research is primarily performed as agreed with the Lead Procurer, without the prior written consent of the AuthorityLead Procurer; (h) ensure that all staff and agents of Contractor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.111; (i) ensure that none of the staff and agents publish Contractor’s Staff publish, disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority not disclose Personnel Lead Procurer; (j) permit the Lead Procurer to inspect and audit the Contractor's (and its subcontractors’ to the extent permitted) data processing activities and comply with reasonable requests or directions by the Lead Procurer to enable it to verify and/or procure that the Contractor is in full compliance with its data protection obligations under this Framework Agreement; (k) on termination of the Framework Agreement for whatever reason, or upon the Lead Procurer’s earlier written request at any time, immediately cease to use or process any Personal Data received by or on behalf of the Lead Procurer under the Framework Agreement, and where practicable return that Personal Data to any third parties the Lead Procurer together with all copies in any circumstances other than with the written consent of the Authority its possession or in compliance with a legal obligation imposed upon the Authoritycontrol; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 E.1.1 For the purposes of this Clause 17.1E.1, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 E.1.2 The Contractor shall (and shall ensure that all of its it’s entire Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 E.1.3 Notwithstanding the general obligation in clause 17.2E.1.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority Client the Contractor shall: (a) Process the Personnel Data only in accordance with instructions from the Authority Client (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified by the Contracting Authority; (b) comply with all applicable laws; (c) Process the Personal Data only to the extent; and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take reasonable steps to ensure the reliability of its staff and agents who may have access to the Personal Data; (f) obtain prior written consent from the Contracting Authority in order to transfer the Personal Data to any sub- sub-contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the AuthorityClient; (h) ensure that all staff and agents required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1E.1; (i) ensure that none of the staff and agents publish disclose or divulge any of the Personal Data to any third parties unless directed in writing to do so by the Authority Client (j) not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority Client or in compliance with a legal obligation imposed upon the AuthorityClient; and 17.4 E.1.4 notify the Authority Client (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the AuthorityClient’s obligations under the DPA; 17.5 E.1.5 The provision of this Clause 17.1 E.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 26.1 For the purposes of this Clause 17.126, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 26.1.1 The parties recognise that they may handle Personal Data. Both parties shall comply with their legal obligations under the DPA. 26.1.2 The Contractor shall (and shall ensure that all of its Staff) must comply with any notification requirements its legal obligations under the DPA and both Parties will duly observe all their shall notify the Department, as soon as it becomes aware of any actual or potential data incident or breach of your obligations under the DPA which arise in connection with the relation to any personal data processed as a consequence of undertaking this Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where 26.2 Insofar as the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority The Department as a consequence of undertaking this contract the Contractor shall: (a) 26.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 26.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 26.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 26.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 26.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 26.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause26; (i) ensure 26.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 26.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] two Working Days) Days if it receives: (a) 26.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; or; (b) 26.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 26.2.8.3 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: 26.2.8.4 providing the Department with full details of the complaint or request; 26.2.8.5 Assisting or complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; 26.2.9 Where the department receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation the Contractor shall assist the Department by: 26.2.9.1 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and 26.2.9.2 providing the Department with any information requested by the Department; 26.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 26.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 26.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 26.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 26.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 26.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 26.2.13 The provision Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: 26.2.13.1 incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and 26.2.13.2 procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation).” 26.3 Insofar as the contractor processes personal data for its own administrative purposes, whilst undertaking this Clause 17.1 contract the Contractor must: 26.3.1 comply at all times with the Data Protection Legislation and shall apply during not perform its obligations under this Contract in such a way as to cause the Contract Period and indefinitely after Department to breach any of its expiryapplicable obligations under the Data Protection Legislation.

Data Protection Act. 17.1 11.1 For the purposes of this Clause 17.111, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 11.1.1 The parties recognise that they may handle Personal Data. Both parties shall comply with their legal obligations under the DPA. 11.1.2 The Contractor shall (and shall ensure that all of its Staff) must comply with any notification requirements its legal obligations under the DPA and both Parties will duly observe all their shall notify the Department, as soon as it becomes aware of any actual or potential data incident or breach of your obligations under the DPA which arise in connection with the relation to any personal data processed as a consequence of undertaking this Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where 11.2 Insofar as the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority The Department as a consequence of undertaking this contract the Contractor shall: (a) 11.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 11.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 11.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 11.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 11.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 11.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 11; (i) ensure 11.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 11.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] two Working Days) Days if it receives: (a) 11.2.8.1 a request from a Data Subject to have access to that person’s 's Personal Data; , or (b) 11.2.8.2 a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 11.2.9 Where the department receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation the Contractor shall assist the Department by: 11.2.9.1 providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department) 11.2.9.2 providing the Department with full cooperation and assistance in relation to any complaint or request made; 11.2.9.3 providing the Department with full details of the complaint or request; 11.2.9.4 providing the Department with any information requested by the Department; 11.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 11.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 11.2.12 Not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Commencement Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: 11.2.12.1 the Contractor shall submit a request for change to the Department which shall be dealt with in accordance with any Change Control Procedure 11.2.12.2 the Contractor shall set out in its request for change details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Department’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; 11.2.12.3 in providing and evaluating the request for change, the parties shall ensure that they have regard to and comply with then-current Department, Government and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally. 11.2.13 The provision Contractor shall comply with such other instructions and shall carry out such other actions as the Department may notify in writing, including: 11.2.13.1 incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and 11.2.13.2 procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Authority on such terms as may be required by the Department, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). 11.3 Insofar as the contractor processes personal data for its own administrative purposes, whilst undertaking this Clause 17.1 contract the Contractor must comply at all times with the Data Protection Legislation and shall apply during not perform its obligations under this Contract in such a way as to cause the Contract Period and indefinitely after Department to breach any of its expiryapplicable obligations under the Data Protection Legislation.

Data Protection Act. 17.1 For With respect to the purposes of parties’ rights and obligations under this Clause 17.1Contract, the terms “parties agree that SDNPA is the Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” Controller and “Processing shall have the meaning prescribed under the DPA. 17.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal the Data (as defined by the DPA) as a Data Processor for the Authority the Processor. 17.1.1 The Contractor shall: (a) Process 17.1.1.1 process the Personnel Personal Data only in accordance with instructions from the Authority SDNPA (which may be specific instructions or instructions of a general nature) as set out in this Contract nature or as otherwise notified by SDNPA to the AuthorityContractor during the term of this Contract); (b) comply with all applicable laws; (c) Process 17.1.1.2 process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Bodyregulatory body; (d) 17.1.1.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processingprocessing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) 17.1.1.4 take reasonable steps to ensure the reliability of its staff and agents any Staff who may have access to the Personal Data; (f) 17.1.1.5 obtain prior written consent from the Authority SDNPA in order to transfer the Personal Data to any sub- contractor Sub-Contractors or affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) 17.1.1.6 ensure that all staff and agents Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.117; (i) 17.1.1.7 ensure that none of the staff and agents publish Staff do not publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; andSDNPA; 17.4 17.1.1.8 notify the Authority SDNPA (within [five] five (5) Working Days) ), if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the AuthoritySDNPA’s obligations under the DPAData Protection Legislation; 17.1.1.9 provide SDNPA with full co-operation and assistance in relation to any complaint or request made, including by: (a) providing SDNPA with full details of the complaint or request; (b) complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the SDNPA’s instructions; (c) providing SDNPA with any Personal Data it holds in relation to a Data Subject (within the timescales required by SDNPA) and (d) providing SDNPA with any information requested by SDNPA; 17.1.1.10 permit the SDNPA or the SDNPA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor’s data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by SDNPA to enable the SDNPA to verify and /or procure that the Contractor is in full compliance with its obligations under this Contract; 17.1.1.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by SDNPA); and 17.1.1.12 not Process Personal Data outside the European Economic Area without the prior written consent of SDNPA and, where SDNPA consents to a transfer, to comply with: (a) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and (b) any reasonable instructions notified to it by SDNPA. 17.2 The Contractor shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this agreement in such a way as to cause SDNPA to breach any of its applicable obligations under the Data Protection Requirements. 17.3 The Contractor shall be liable for and shall indemnify (and keep indemnified) the SDNPA against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by SDNPA which arise directly from a breach by the Contractor of its obligations under the Data Protection Requirements, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Contractor or its employees, servants, agents or Sub-Contractors. 17.4 The Parties acknowledge that the General Data Protection Regulations (GDPR) comes into effect during the term of the Contract on 25 May 2018. 17.5 The provision of this Clause 17.1 Parties agree that prior to 25 May 2018 they shall apply during update the data protection clauses in the Contract Period to ensure compliance with the GDPR. The variation shall be agreed in writing by the parties in accordance with clause [insert number of Variation Clause in the standard terms and indefinitely after its expiryconditions]. 17.6 If the Parties have not agreed a variation to the Contract to ensure compliance with the GDPR by 25 May 2018 SDNPA shall be entitled to terminate the Contract immediately by notice in writing.

Data Protection Act. 17.1 For 16.2.1 With respect to the purposes of Parties' rights and obligations under this Clause 17.1Agreement, the terms “Parties agree that the Authority is the Data Controller”, “Controller and that the Provider is the Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 16.2.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor Provider shall: (a) Process process the Personnel Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature) nature as set out in this Contract Agreement or as otherwise notified by the AuthorityAuthority to the Provider during the Term); (b) comply with all applicable laws; (c) Process process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law or required or reasonably requested by any Regulatory Body; (dc) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosuredisclosure and upon request from the Authority provide a written description of such methods within the timescales required by the Authority. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having shall have regard to the nature of the Personal Data which is to be protected, the state of technological development and the cost of implementing such measures; (d) immediately notify the Authority of any actual or suspected breach of security whereby unauthorised access to Authority Data held on the Authority’s systems or the Provider’s systems has occurred or is likely to occur or have occurred; (e) permit the Authority and any Regulatory Body to inspect, on reasonable notice, and audit the Provider’s Data Processing activities on site (including those of any sub-contractors) so far as these relate to the Personal Data and the Provider shall comply with all reasonable requests or directions from the Authority to enable the Authority to verify and/or procure that the Provider is in full compliance with its obligations under this Agreement; (f) take reasonable steps to ensure the reliability of its staff and agents any Provider Personnel who may have access to the Personal Data; (fg) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor one other than its Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure that all staff and agents Provider Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 16.2; (i) ensure that none of the staff and agents publish Provider Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and; 17.4 (j) notify the Authority within five (within [five] 5) Working Days) Days if it receives: (ak) a request from a Data Subject to have access to that person’s 's Personal Data; or (bl) a complaint or request relating to the Authority’s 's obligations under the DPA; 17.5 (m) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (n) providing the Authority with full details of the complaint or request; (o) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; (p) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (q) providing the Authority with any information requested by the Authority; (r) not Process Personal Data outside the European Economic Area except to the extent pursuant to automatic back-up procedures) without the prior written consent of the Authority (not to be unreasonably withheld) and, where the Authority consents to a transfer, to comply with: (s) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the DPA by providing an adequate level of protection to any Personal Data that is transferred; and (t) any reasonable instructions notified to it by the Authority. 16.2.3 The provision Provider shall comply at all times with the DPA , so far as the act applies to it, and shall not perform its obligations under this Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. 16.2.4 For the purposes of this Clause 17.1 16.2, the terms "Data Controller", "Data Processor", “Data Subject”, "Process" and "Processing" shall apply during have the Contract Period and indefinitely after its expirymeanings prescribed under the DPA. “Personal Data” is defined under clause 1.1 above.

Data Protection Act. 17.1 14.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.114, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 14.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 14.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 14.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law or any Regulatory Body; (d) implement 14.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 14.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 14.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 14.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1clause14; (i) ensure 14.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with Department; 14.2.8 Notify the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (Department within [five] five Working Days) Days if it receives: (a) : - a request from a Data Subject to have access to that person’s 's Personal Data; or (b) or - a complaint or request relating to the Authority’s Department's obligations under the DPAData Protection Legislation; 17.5 14.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: - providing the Department with full details of the complaint or request; - complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; - providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and - providing the Department with any information requested by the Department; 14.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 14.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department); and 14.2.12 Not process Personal Data outside the European Economic Area without the prior written consent of the Department and, where the Department consents to a transfer, to comply with: - the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and - any reasonable instructions notified to it by the Department. 14.3 The provision Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of this Clause 17.1 shall apply during its applicable obligations under the Contract Period and indefinitely after its expiryData Protection Legislation.

Data Protection Act. 17.1 For 7.1 The Parties acknowledge that for the purposes of this Clause 17.1the Data Protection Legislation, the terms “Customer is the Controller and the Contractor is the Processor unless otherwise specified in Schedule 4. The only processing that the Processor is authorised to do is listed in Schedule 4 by the Controller and may not be determined by the Processor. 7.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. 7.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller”, “include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Processor”Subjects; and the measures envisaged to address the risks, “Data Subject”including safeguards, “security measures and mechanisms to ensure the protection of Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 7.4 The Contractor shall (and shall ensure that all of its Staff) comply with Processor shall, in relation to any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise Personal Data processed in connection with the its obligations under this Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing : process that Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) Process the Personnel Data only in accordance with instructions from Schedule 4, unless the Authority Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (which may be specific instructions or instructions of a general nature) as set out in this Contract or as otherwise notified but failure to reject shall not amount to approval by the Authority; (b) comply with all applicable laws; Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; (c) Process ensure that: the Processor Personnel do not process Personal Data only to the extent; except in accordance with this Contract (and in such manner as is necessary for the provision of the Provider’s obligations under this Contract or as is required by Law or any Regulatory Body; (d) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take particular Schedule 4); it takes all reasonable steps to ensure the reliability and integrity of its staff and agents any Processor Personnel who may have access to the Personal Data; (f) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) and ensure that all staff they: are aware of and agents required comply with the Processor’s duties under this clause; are subject to access appropriate confidentiality undertakings with the Personal Data Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1; (i) ensure that none of the staff and agents publish do not publish, disclose or divulge any of the Personal Data to any third parties Party unless directed in writing to do so by the Authority Controller or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not disclose Personnel transfer Personal Data to any third parties in any circumstances other than with outside of the EU unless the prior written consent of the Authority Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in compliance relation to the transfer (whether in accordance with a GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal obligation imposed upon remedies; the AuthorityProcessor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); andand the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Contract unless the Processor is required by Law to retain the Personal Data. 17.4 7.5 Subject to clause 7.6, the Processor shall notify the Authority Controller immediately if it: receives a Data Subject Access Request (within [five] Working Days) if it receives: (a) or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under clause 7.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 7.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to have access a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to that personany request from the Information Commissioner’s Personal Data; or (b) a complaint Office, or request relating to any consultation by the Authority’s obligations under Controller with the DPA; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiryInformation Commissioner's Office.

Data Protection Act. 17.1 For 5.2.1 With respect to the purposes of Parties' rights and obligations under this Clause 17.1Contract, the terms “parties agree that the Authority is the Data Controller”, “Controller and that the Service Provider is the Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 5.2.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor Service Provider shall: (a) Process take all reasonable steps to process the Personnel Personal Data only in accordance with lawful and reasonable instructions from the Authority (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityAuthority to the Service Provider during the Contract Period); (b) comply with all applicable laws; (c) Process process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law or any Regulatory Body; (dc) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having have regard to the nature of the Personal Data which is to be protected, the state of technological development and the cost of implementing such measures; (ed) take use reasonable steps endeavours to ensure the reliability of its staff engage suitably skilled and agents qualified Service Provider Personnel who may have access to the Personal Data; (fe) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub- contractor anyone other than its Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (hf) ensure that all staff and agents Service Provider Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 5.2; (ig) ensure that none of the staff and agents publish Service Provider Personnel publish, disclose or divulge any of the Personal Data to any third parties party except where expressly authorised under this Agreement, or unless directed in writing to do so by the Authority not disclose Personnel Data or required to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; anddo so by Law; 17.4 (h) notify the Authority within ten (within [five] 10) Working Days) Days if it receives: (ai) a request from a Data Subject whose Personal Data is being processed by the Service Provider under this Agreement, to have access to that person’s 's Personal Data; or (bii) a complaint or request relating to the Authority’s 's obligations under the DPA; 17.5 (i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i) providing the Authority with full details of the complaint or request; (ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; (iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) providing the Authority with any information requested by the Authority in relation to the complaint or request; (j) permit the Authority or the Authority representative (subject to reasonable and appropriate confidentiality undertakings), and where legally permissible to inspect and audit, in accordance with Clause 5.9 (Records and Audit Access), the Service Provider's data Processing activities (and/or those of its agents, subsidiaries and Sub-Service Providers) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Service Provider is in full compliance with its obligations under this Contract; (k) provide a written description of the technical and organisational methods employed by the Service Provider for processing Personal Data (within the timescales reasonably required by the Authority); and (l) not process Personal Data outside the European Economic Area, except where such transfer and processing: (i) is in compliance with the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the DPA by providing an adequate level of protection to any Personal Data that is transferred; and (ii) complies with any reasonable instructions notified to it by the Authority; and (iii) is with the Approval of the Authority. 5.2.3 The provision Service Provider shall comply at all times with the DPA in connection with its data privacy obligations under this Agreement and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. 5.2.4 For the purposes of Clause 5.2, the terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "Process" and "Processing" shall have the meanings prescribed under the DPA. 5.2.5 The provisions of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection Act. 17.1 6.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. For the purposes of this Clause 17.16, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing shall have the meaning prescribed under the DPA. 17.2 6.2 The Contractor shall (and shall ensure that all of its Staff) comply with any notification requirements under the DPA and both Parties will duly observe all their obligations under the DPA which arise in connection with the Contract. 17.3 Notwithstanding the general obligation in clause 17.2, where the Contractor is processing Personal Data (as defined by the DPA) as a Data Processor for the Authority the Contractor shall: (a) 6.2.1 Process the Personnel Personal Data only in accordance with instructions from the Authority Department (which may be specific instructions or instructions of a general nature) nature as set out in this Contract or as otherwise notified by the AuthorityDepartment to the Contractor during the period of the Contract); (b) comply with all applicable laws; (c) 6.2.2 Process the Personal Data only to the extent; , and in such manner manner, as is necessary for the provision of the Provider’s obligations under this Contract Services or as is required by Law law or any Regulatory Body; (d) implement 6.2.3 Implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (e) take 6.2.4 Take reasonable steps to ensure the reliability of its staff and agents any Contractor Personnel who may have access to the Personal Data; (f) obtain 6.2.5 Obtain prior written consent from the Authority Department in order to transfer the Personal Data to any sub- contractor Sub-contractors or Affiliates for the provision of the Services; (g) not cause or permit the Personal Data to be transferred outside of the European Economic Area without the prior consent of the Authority; (h) ensure 6.2.6 Ensure that all staff and agents Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 17.1Clause 6; (i) ensure 6.2.7 Ensure that none of the staff and agents publish Contractor Personnel publish, disclose or divulge any of the Personal Data to any third parties party unless directed in writing to do so by the Authority not disclose Personnel Data to any third parties in any circumstances other than with the written consent of the Authority or in compliance with a legal obligation imposed upon the Authority; and 17.4 notify the Authority (within [five] Working Days) if it receives: (a) a request from a Data Subject to have access to that person’s Personal Data; or (b) a complaint or request relating to the Authority’s obligations under the DPADepartment; 17.5 The provision of this Clause 17.1 shall apply during the Contract Period and indefinitely after its expiry.