DATA PROTECTION AND CYBER SECURITY. The Supplier will comply with all applicable requirements of the Data Protection Legislation. Clauses 18.1 to 18.9 are in addition to, and do not relieve, remove or replace, the Supplier's obligations under the Data Protection Legislation. The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Supplier is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Without prejudice to the generality of Clause 18.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Agreement: process that Personal Data only on the written instructions of the Client unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Client; ensure that it has in place appropriate technical and organisational measures, details of which shall be made available as reasonably required by the Client from time to time, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
Appears in 2 contracts
Samples: The Agreement, www.flagship-group.co.uk
DATA PROTECTION AND CYBER SECURITY. The Supplier will comply with all applicable requirements of the Data Protection Legislation. Clauses 18.1 to 18.9 are in addition to, and do not relieve, remove or replace, the Supplier's obligations under the Data Protection Legislation. The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and the Supplier is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Without prejudice to the generality of Clause 18.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Agreement: not process the Personal Data for any other purpose or in a way that does not comply with the Agreement or the Data Protection Legislation. The Supplier must notify promptly the Client if, in its opinion, the Client's instructions do not comply with the Data Protection Legislation; process that Personal Data only on the written instructions of the Client unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on laws of a member of the European Union or European Union law Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Client; comply promptly with any Client written instructions requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing; maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Client or the Agreement specifically authorises the disclosure, or as required by Applicable Laws, court or regulator (including the Commissioner). If any Applicable Laws, court or regulator (including the Commissioner) requires the Supplier to process or disclose the Personal Data to a third-party, the Supplier must first inform the Client of such legal or regulatory requirement and give the Client an opportunity to object or challenge the requirement, unless the Applicable Law prohibits the giving of such notice; ensure that it has in place appropriate technical and organisational measures, details of which shall be made available as reasonably required by the Client from time to time, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilledData:
Appears in 1 contract
Samples: The Agreement
DATA PROTECTION AND CYBER SECURITY. The Supplier will comply with all applicable requirements of the Data Protection Legislation. Clauses 18.1 to 18.9 are in addition to, and do not relieve, remove or replace, the Supplier's obligations under the Data Protection Legislation. The parties Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller controller, and the Supplier is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Without prejudice to the generality of Clause 18.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Agreement: not process the Personal Data for any other purpose or in a way that does not comply with the Agreement or the Data Protection Legislation. The Supplier must notify promptly the Client if, in its opinion, the Client's instructions do not comply with the Data Protection Legislation; and process that Personal Data only on the written instructions of the Client unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on laws of a member of the European Union or European Union law Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Client; and comply promptly with any Client written instructions requiring the Supplier to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing; and maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Client or the Agreement specifically authorises the disclosure, or as required by Applicable Laws, court or regulator (including the Commissioner). If any Applicable Laws, court or regulator (including the Commissioner) requires the Supplier to process or disclose the Personal Data to a third-party, the Supplier must first inform the Client of such legal or regulatory requirement and give the Client an opportunity to object or challenge the requirement, unless the Applicable Law prohibits the giving of such notice; and ensure that it has in place appropriate technical and organisational measures, details of which shall be made available as reasonably required by the Client from time to time, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilledData:
Appears in 1 contract
Samples: Agreement
