Common use of DATA PROTECTION AND PRIVACY Clause in Contracts

DATA PROTECTION AND PRIVACY. a. If Partner has access to or otherwise Processes Personal Data, then Partner shall: i. only Process the Personal Data in accordance with Company's documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum and related Attachments; ii. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this Data Protection Addendum); iii. assist Company as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Partner) related to Partner’s Processing of Personal Data; iv. notify the Company without undue delay, and no later than twenty four (24) hours, after becoming aware of a Breach Incident; v. provide full, reasonable cooperation and assistance to Company in: a. allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making; b. ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws; c. Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable). vi. only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement; vii. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any Personal Data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request; viii. make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in its custody or under its control, to the extent Partner has the ability to do so; ix. not lease, sell or otherwise distribute Personal Data; x. promptly notify Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Processing of Personal Data; xi. promptly notify Company in writing and provide Company an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Company; xii. upon termination of the Agreement, or upon Company's written request at any time during the term of the Agreement, Partner shall cease to Process any Personal Data received from Company, and within a reasonable period will at the request of Company: (1) return the Personal Data; or 2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.

DATA PROTECTION AND PRIVACY. a. If Partner has access to or otherwise Processes Personal Data, then Partner shall: i. only Process the Personal Data for the duration of the Agreement in accordance with Company's documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum and related Attachments; Addendum; ii. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this Data Protection Addendum); iii. assist Company as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Partner) related to Partner’s Processing of Personal Data; iv. notify the Company without undue delay, and no later than twenty four (24) hours, after becoming aware of a Breach Incident; v. provide full, reasonable cooperation and assistance to Company in: a. allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making; b. ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws; c. Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable). vi. only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement; vii. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any Personal Data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request; viii. make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in its custody or under its control, to the extent Partner has the ability to do so; ix. not lease, sell or otherwise distribute Personal Data; x. promptly notify Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Processing of Personal Data; xi. promptly notify Company in writing and provide Company an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Company; xii. upon termination of the Agreement, or upon Company's written request at any time during the term of the Agreement, Partner shall cease to Process any Personal Data received from Company, and within a reasonable period will at the request of Company: (1) return the Personal Data; or 2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.

DATA PROTECTION AND PRIVACY. a. If Partner has access 9.1. A reference to UGC in this clause means UGC or otherwise Processes the Buyer that is the Controller of the relevant Personal DataData for the particular Processing. 9.2. For the Services, then Partner shall:the Supplier is a Processor acting only on UGC’s documented instructions. The context for and purposes of Processing UPD is the Supplier’s provision of the Services under this Agreement. It will include all Processing activities required to perform the Services, will relate to various categories of Personal Data (which may include personal and contact details, employment information, marketing information, financial or payment details) and will affect Data Subjects (which may include UGC employees and staff, customer and clients), as more particularly recorded by the parties. No special categories of Personal Data will be Processed without UGC’s prior written approval. UPD shall be Processed for the Agreement duration and following termination or expiry as required to comply with the deletion/return obligations below. i. 9.3. The parties may, individually as separate Controllers, need to Process Personal Data of each other’s representatives. The Supplier may also Process UPD for the purposes of providing the Services as a separate Controller in some respects, as agreed in writing by the parties. 9.4. The Supplier will only Process the Personal Data UPD in accordance with Company's documented instructions this Agreement as necessary to provide the Services to UGC. 9.5. The Supplier shall: (i) comply with and on its behalf, process all UPD in accordance with applicable Data Protection Laws and in accordance with Annex C - Data Privacy herein; (ii) co-operate and assist UGC with any data protection impact assessments and consultations with (or notifications to) or responding to questions from or investigations by regulators or supervisory authorities; and (iii) promptly inform UGC if any of its instructions infringe Data Protection Laws. 9.6. The Supplier shall ensure that its personnel are subject to an appropriate contractual or statutory duty of confidentiality in relation to the UPD. 9.7. Supplier personnel shall cease Processing UPD when it is no longer necessary to do so to provide the Services or earlier within 15 business days of UGC’s instruction to do so unless it is subject to a legal obligation to retain the UPD. At UGC's option, the Supplier shall securely delete or return that data and shall certify to UGC in writing that it (including its group companies) and each subcontractor has done so. 9.8. If the Supplier receives any complaints, claims or requests in relation to Processing of UPD (particularly those relating to the exercise of Data Subject rights), it shall, without undue delay, forward such to UGC and cooperate and assist UGC with responding to such as directed by UGC. 9.9. The Supplier warrants it has implemented and shall maintain appropriate technical and organisational measures to protect UPD against a Personal Data Breach, which shall at all times satisfy, at a minimum, the standards required by Data Protection Laws. 9.10. If the Supplier becomes aware of any Personal Data Breach, it shall without undue delay (and in any event within 24 hours) notify UGC, investigate the Personal Data Breach, remediate/mitigate any damage and prevent re-occurrence (providing UGC with detailed related information throughout), and cooperate in informing the relevant supervisory authorities or affected Data Subjects. 9.11. The Supplier may appoint sub-processors or allow its group companies to Process UPD. The Supplier shall notify UGC before the appointment of a new or replacement sub-processor and shall provide UGC with a reasonable period of time to object to the appointment or replacement of any such sub-processor. The Supplier shall use its reasonable endeavours to respond to any objection raised by UGC including, if UGC’s objection cannot be adequately addressed, the appointment of an alternative sub-processor. 9.12. Supplier shall ensure subcontractors are contractually bound to the same obligations as contained in this Agreement and this Data Protection Addendum and related Attachments; ii. take reasonable steps shall remain fully liable to ensure the reliability UGC for a subcontractor’s performance, as well as for any of its staff and any other person acting under acts or omissions relating to its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this Data Protection Addendum); iii. assist Company as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Partner) related to Partner’s Processing of Personal Data;. iv9.13. notify The Supplier (or any subcontractor) shall only transfer UPD from the Company without undue delayUK/EEA to a country outside the EEA or an international organisation where such transfer has been approved in writing by UGC, is subject to appropriate safeguards, and no later than twenty four (24) hours, after becoming aware of a Breach Incident; v. provide full, reasonable cooperation and assistance to Company in: a. allowing data subjects to exercise their rights under the otherwise complies with Data Protection Laws. 9.14. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 9 (promptly providing these to UGC on request) and allow for audits by UGC or its designated representatives. 9.15. The Supplier understands and explicitly consents that the Buyer may collect and process personal data, including (without limitation) that of individuals, personnel, contractors, etc. associated with them, for the right purpose of accessthis Agreement, right including but not limited to rectification, restriction performance of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making; b. ensuring compliance with any notification obligations of personal data breach to the supervisory authority obligations/services by either Parties and communication obligations to data subjects, as required under Data Protection Laws; c. Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable). vi. only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement; vii. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any Personal Data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request; viii. make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while mutual business interests in its custody or under its control, to the extent Partner has the ability to do so; ix. not lease, sell or otherwise distribute Personal Data; x. promptly notify Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Processing of Personal Data; xi. promptly notify Company in writing and provide Company an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Company; xii. upon termination furtherance of the Agreement, or upon Company's written request at any time during the term of the Agreement, Partner shall cease to Process any Personal Data received from Company, and within a reasonable period will at the request of Company: (1) return the Personal Data; or 2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.