Common use of Data Protection and Data Breach Clause in Contracts

Data Protection and Data Breach. a) The parties acknowledge that where Kineo processes personal data in connection with this Agreement, it is a processor of the Customer, who is the controller. The subject-matter of the data processing is the performance of the Services. Annex 1 sets out the nature, duration and purposes of the processing, the types of personal data Kineo processes and the categories of data subjects whose personal data is processed. b) Kineo shall: i. process the personal data only in accordance with documented instructions from the Customer. If Kineo is required to process the personal data for any other purpose by applicable laws to which Kineo is subject, Kineo will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest. It is acknowledged by the parties that Kineo shall be permitted to anonymise the personal data for the purposes of providing statistical analysis and consulting services without breach of this requirement. ii. at all times comply with applicable Data Protection Legislation and Privacy Laws and notify the Customer immediately if, in Kineo’s opinion, an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Legislation and/or Privacy Laws; c) Kineo shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data. d) Kineo shall assist the Customer, always taking into account the nature of the processing: i. by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights; and ii. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Kineo. e) Kineo shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. f) In the event of a suspected breach affecting the confidentiality, integrity or availability of personal data takes place, Kineo will, without undue delay, notify the Customer of the breach and provide all commercially reasonable assistance as required by Data Protection Legislation. g) Kineo shall be entitled to engage a new sub-contractor or replace an existing one for the processing of personal data provided that Kineo notifies the Customer at least 30 days in advance of its intended change and receives no objection from the Customer within 10 Business Days from its notification. If the Customer objects to the change of a sub-contractor within such period, Kineo shall use reasonable efforts to make available a change in the associated processing services to avoid the processing of personal data by the objected-to sub-contractor. If Kineo is unable to make this change in a reasonable period of time or the Customer does not approve such change, the Customer may, by providing written notice to Kineo, terminate the associated processing service which cannot be provided without the use of the objected-to sub-contractor. The existing sub- contractors listed in Annex 1 are those approved at the commencement of this Agreement. h) For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation and/or Privacy Laws, Kineo will remain fully liable to the Customer for the fulfilment of Kineo’s obligations under these terms. i) Kineo shall allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of this Agreement and for 12 months thereafter which will include providing access to the records held further to Clause 10, and the premises, resources, and Xxxxx’s personnel used in connection with the provision of the Services or the Associated Services (as the case may be), and provide all reasonable assistance in order to assist the Customer in exercising its audit rights under this Clause. The purpose of this audit shall be limited to ensuring compliance with this Clause 10. If the Customer’s request for information or access relates to a sub-contractor, or information held by a sub- contractor which Kineo cannot provide to the Customer itself, Kineo will promptly submit a request for additional information in writing to the relevant sub- contractor(s). The Customer acknowledges that access to the sub-contractor's premises or to information about the sub-contractor's previous independent audit reports is subject to agreement from the relevant sub-contractor, and that Kineo cannot guarantee access to that sub-contractor's premises or audit information at any particular time, or at all. j) Xxxxx shall be permitted to process personal data outside the AU, NZ, UK and European Economic Area, provided that it does so on the basis of a valid adequacy decision has been issued or adequacy determined in another valid method under Data Protection Legislations. In particular, Kineo shall enter into valid data transfer agreements under Data Protection Legislation to ensure the adequacy of international transfers where necessary. k) Xxxxx agrees to comply with any reasonable directions of the Customer in relation to Personal Data and not to send any Personal Data outside Australia or New Zealand (as applicable), or allow Personal Data to be accessed from a location outside Australia or New Zealand (as applicable), without Customer’s prior written consent. If any information is sent overseas or accessed from overseas, Kineo must ensure that it does not store, use or disclose that information inconsistently with the Privacy Legislation and the Customer’s directions. l) On termination of this Agreement, Kineo shall, at the Customer’s option, to be provided promptly, either return or delete the personal data.

Data Protection and Data Breach. a) The parties acknowledge that where Kineo processes personal data in connection with this Agreement, it is a processor of the Customer, who is the controller. The subject-matter of the data processing is the performance of the Services. Annex 1 sets out the nature, duration and purposes of the processing, the types of personal data Kineo processes and the categories of data subjects whose personal data is processed. b) Kineo shall: i. process the personal data only in accordance with documented instructions from the Customer. If Kineo is required to process the personal data for any other purpose by applicable laws to which Kineo Xxxxx is subject, Kineo Xxxxx will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest. It is acknowledged by the parties that Kineo Xxxxx shall be permitted to anonymise the personal data for the purposes of providing statistical analysis and consulting services without breach of this requirement. ii. at all times comply with applicable Data Protection Legislation and Privacy Laws and notify the Customer immediately if, in KineoXxxxx’s opinion, an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Legislation and/or Privacy LawsLegislation; c) Kineo Xxxxx shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data. d) Kineo Xxxxx shall assist the Customer, always taking into account the nature of the processing: i. by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights; and ii. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Kineo. e) Kineo shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. f) In the event of a suspected breach affecting the confidentiality, integrity or availability of personal data takes place, Kineo will, without undue delay, notify the Customer of the breach and provide all commercially reasonable assistance as required by Data Protection Legislation. g) Kineo Xxxxx shall be entitled to engage a new sub-contractor or replace an existing one for the processing of personal data provided that Kineo Xxxxx notifies the Customer at least 30 days in advance of its intended change and receives no objection from the Customer within 10 Business Days from its notification. If the Customer objects to the change of a sub-contractor within such period, Kineo shall use reasonable efforts to make available a change in the associated processing services to avoid the processing of personal data by the objected-to sub-contractor. If Kineo Xxxxx is unable to make this change in a reasonable period of time or the Customer does not approve such change, the Customer may, by providing written notice to Kineo, terminate the associated processing service which cannot be provided without the use of the objected-to sub-contractor. The existing sub- contractors listed in Annex 1 are those approved at the commencement of this Agreement. h) For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation and/or Privacy LawsLegislation, Kineo will remain fully liable to the Customer for the fulfilment of KineoXxxxx’s obligations under these terms. i) Kineo shall allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of this Agreement and for 12 months thereafter which will include providing access to the records held further to Clause 10, and the premises, resources, and Xxxxx’s personnel used in connection with the provision of the Services or the Associated Services (as the case may be), and provide all reasonable assistance in order to assist the Customer in exercising its audit rights under this Clause. The purpose of this audit shall be limited to ensuring compliance with this Clause 10. If the Customer’s request for information or access relates to a sub-contractor, or information held by a sub- contractor which Kineo cannot provide to the Customer itself, Kineo will promptly submit a request for additional information in writing to the relevant sub- contractor(s). The Customer acknowledges that access to the sub-contractor's premises or to information about the sub-contractor's previous independent audit reports is subject to agreement from the relevant sub-contractor, and that Kineo cannot guarantee access to that sub-contractor's premises or audit information at any particular time, or at all. j) Xxxxx Kineo shall be permitted to process personal data outside the AU, NZ, UK and European Economic Area, provided that it does so on the basis of a valid adequacy decision has been issued or adequacy determined in another valid method under Data Protection Legislations. In particular, Kineo Xxxxx shall enter into valid data transfer agreements under Data Protection Legislation to ensure the adequacy of international transfers where necessary. k) Xxxxx agrees to comply with any reasonable directions of the Customer in relation to Personal Data and not to send any Personal Data outside Australia or New Zealand (as applicable), or allow Personal Data to be accessed from a location outside Australia or New Zealand (as applicable), without Customer’s prior written consent. If any information is sent overseas or accessed from overseas, Kineo must ensure that it does not store, use or disclose that information inconsistently with the Privacy Legislation and the Customer’s directions. l) On termination of this Agreement, Kineo shall, at the Customer’s option, to be provided promptly, either return or delete the personal data.

Data Protection and Data Breach. a) The parties acknowledge that where Kineo processes personal data in connection with this Agreement, it is a processor of the Customer, who is the controller. The subject-matter of the data processing is the performance of the Services. Annex 1 sets out the nature, duration and purposes of the processing, the types of personal data Kineo processes and the categories of data subjects whose personal data is processed. b) Kineo shall: i. process the personal data only in accordance with documented instructions from the Customer. If Kineo is required to process the personal data for any other purpose by applicable laws to which Kineo Xxxxx is subject, Kineo Xxxxx will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest. It is acknowledged by the parties that Kineo Xxxxx shall be permitted to anonymise the personal data for the purposes of providing statistical analysis and consulting services without breach of this requirement. ii. at all times comply with applicable Data Protection Legislation and Privacy Laws and notify the Customer immediately if, in KineoXxxxx’s opinion, an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Legislation and/or Privacy Laws; c) Kineo Xxxxx shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data. d) Kineo Xxxxx shall assist the Customer, always taking into account the nature of the processing: i. by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights; and ii. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Kineo. e) Kineo shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. f) In the event of a suspected breach affecting the confidentiality, integrity or availability of personal data takes place, Kineo will, without undue delay, notify the Customer of the breach and provide all commercially reasonable assistance as required by Data Protection Legislation. g) Kineo Xxxxx shall be entitled to engage a new sub-contractor or replace an existing one for the processing of personal data provided that Kineo Xxxxx notifies the Customer at least 30 days in advance of its intended change and receives no objection from the Customer within 10 Business Days from its notification. If the Customer objects to the change of a sub-contractor within such period, Kineo shall use reasonable efforts to make available a change in the associated processing services to avoid the processing of personal data by the objected-to sub-contractor. If Kineo Xxxxx is unable to make this change in a reasonable period of time or the Customer does not approve such change, the Customer may, by providing written notice to Kineo, terminate the associated processing service which cannot be provided without the use of the objected-to sub-contractor. The existing sub- contractors listed in Annex 1 are those approved at the commencement of this Agreement. h) For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation and/or Privacy Laws, Kineo Xxxxx will remain fully liable to the Customer for the fulfilment of KineoXxxxx’s obligations under these terms. i) Kineo shall allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of this Agreement and for 12 months thereafter which will include providing access to the records held further to Clause 10, and the premises, resources, and Xxxxx’s personnel used in connection with the provision of the Services or the Associated Services (as the case may be), and provide all reasonable assistance in order to assist the Customer in exercising its audit rights under this Clause. The purpose of this audit shall be limited to ensuring compliance with this Clause 10. If the Customer’s request for information or access relates to a sub-contractor, or information held by a sub- contractor which Kineo cannot provide to the Customer itself, Kineo will promptly submit a request for additional information in writing to the relevant sub- contractor(s). The Customer acknowledges that access to the sub-contractor's premises or to information about the sub-contractor's previous independent audit reports is subject to agreement from the relevant sub-contractor, and that Kineo cannot guarantee access to that sub-contractor's premises or audit information at any particular time, or at all. j) Xxxxx shall be permitted to process personal data outside the AU, NZ, UK and European Economic Area, provided that it does so on the basis of a valid adequacy decision has been issued or adequacy determined in another valid method under Data Protection Legislations. In particular, Kineo Xxxxx shall enter into valid data transfer agreements under Data Protection Legislation to ensure the adequacy of international transfers where necessary. k) Xxxxx agrees to comply with any reasonable directions of the Customer in relation to Personal Data and not to send any Personal Data outside Australia or New Zealand (as applicable), or allow Personal Data to be accessed from a location outside Australia or New Zealand (as applicable), without Customer’s prior written consent. If any information is sent overseas or accessed from overseas, Kineo Xxxxx must ensure that it does not store, use or disclose that information inconsistently with the Privacy Legislation and the Customer’s directions. l) On termination of this Agreement, Kineo shall, at the Customer’s option, to be provided promptly, either return or delete the personal data.