Common use of Data Protection Obligations Clause in Contracts

Data Protection Obligations. 2.1 For the purposes of this Schedule "Personal Data", "Data Processor", "Data Subject", "Data Controller" and "Process" shall have the meanings ascribed to them in the Data Protection Act 1998 (the "DPA") as amended or re-enacted from time to time. 2.2 The Consultant warrants and represents that it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this Agreement. 2.3 The Consultant undertakes that to the extent that the Consultant and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Employer ("the Employer’s Personal Data") for the purpose of providing the Services, it will at all times comply with the provisions of the DPA for the time being in force, including without limitation the Data Protection Principles set out in Schedule 1 of the DPA. In particular, the Consultant agrees to comply with the requirements and obligations imposed on the Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 2.3.1 the Consultant shall at all material times have in place and maintain appropriate technical and organisational security measures designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Employer’s Personal Data and any person it authorises to have access to any the Employer’s Personal Data will respect and maintain the confidentiality and security of the Employer’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Employer, when providing the Services on the Employer’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 2.3.2 the Consultant shall only process Personal Data for and on behalf of the Employer for the purpose of performing the Services in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written Instructions from the Employer to ensure compliance with the DPA; 2.3.3 the Consultant shall allow the Employer to audit the Consultant's compliance with the requirements of this Clause 2 on reasonable notice and/or, at the Employer’s request, provide the Employer with evidence of the Consultant's compliance with the obligations within this Clause 2. 2.4 The Consultant undertakes not to disclose or transfer any of the Employer’s Personal Data to any third party without the prior written consent of the Employer save that without prejudice to Clause 2.3 the Consultant shall be entitled to disclose the Employer’s Personal Data to employees and third parties to whom such disclosure is reasonably necessary in order for the Consultant to carry out the Services, or to the extent required under a court order. 2.5 The Consultant shall: 2.5.1 take reasonable steps to ensure the reliability of any Consultant Personnel who have access to the Personal Data; 2.5.2 ensure that all Consultant Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 2; 2.5.3 ensure that none of Consultant Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Employer;

Data Protection Obligations. 2.1 For the purposes of this Schedule "Personal Data", "Data Processor", "Data Subject", "Data Controller" and "Process" shall have the meanings ascribed to them in the Data Protection Act 1998 (the "DPA") as amended or re-enacted from time to time. 2.2 The Consultant warrants and represents that it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this Agreement. 2.3 The Consultant undertakes that to the extent that the Consultant and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Employer Agency ("the EmployerAgency’s Personal Data") for the purpose of providing the Services, it will at all times comply with the provisions of the DPA for the time being in force, including without limitation the Data Protection Principles set out in Schedule 1 of the DPA. In particular, the Consultant agrees to comply with the requirements and obligations imposed on the Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 2.3.1 the Consultant shall at all material times have in place and maintain appropriate technical and organisational security measures designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the EmployerAgency’s Personal Data and any person it authorises to have access to any the EmployerAgency’s Personal Data will respect and maintain the confidentiality and security of the EmployerAgency’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the EmployerAgency, when providing the Services on the EmployerAgency’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 2.3.2 the Consultant shall only process Personal Data for and on behalf of the Employer Agency for the purpose of performing the Services in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written Instructions from the Employer Agency to ensure compliance with the DPA; 2.3.3 the Consultant shall allow the Employer Agency to audit the Consultant's compliance with the requirements of this Clause 2 on reasonable notice and/or, at the EmployerAgency’s request, provide the Employer Agency with evidence of the Consultant's compliance with the obligations within this Clause 2. 2.4 The Consultant undertakes not to disclose or transfer any of the EmployerAgency’s Personal Data to any third party without the prior written consent of the Employer Agency save that without prejudice to Clause 2.3 the Consultant shall be entitled to disclose the EmployerAgency’s Personal Data to employees and third parties to whom such disclosure is reasonably necessary in order for the Consultant to carry out the Services, or to the extent required under a court order. 2.5 The Consultant shall: 2.5.1 take reasonable steps to ensure the reliability of any Consultant Personnel who have access to the Personal Data; 2.5.2 ensure that all Consultant Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 2; 2.5.3 ensure that none of Consultant Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the EmployerAgency;

Data Protection Obligations. 2.1 For the purposes of this Schedule "Personal Data", "Data Processor", "Data Subject", "Data Controller" and "Process" shall have the meanings ascribed to them in the Data Protection Act 1998 (the "DPA") as amended or re-enacted from time to time. 2.2 . The Consultant warrants and represents that it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this Agreement. 2.3 . The Consultant undertakes that to the extent that the Consultant and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Employer ("the Employer’s Personal Data") for the purpose of providing the Services, it will at all times comply with the provisions of the DPA for the time being in force, including without limitation the Data Protection Principles set out in Schedule 1 of the DPA. In particular, the Consultant agrees to comply with the requirements and obligations imposed on the Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 2.3.1 : the Consultant shall at all material times have in place and maintain appropriate technical and organisational security measures designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Employer’s Personal Data and any person it authorises to have access to any the Employer’s Personal Data will respect and maintain the confidentiality and security of the Employer’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Employer, when providing the Services on the Employer’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 2.3.2 ; the Consultant shall only process Personal Data for and on behalf of the Employer for the purpose of performing the Services in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written Instructions from the Employer to ensure compliance with the DPA; 2.3.3 ; the Consultant shall allow the Employer to audit the Consultant's compliance with the requirements of this Clause 2 on reasonable notice and/or, at the Employer’s request, provide the Employer with evidence of the Consultant's compliance with the obligations within this Clause 2. 2.4 . The Consultant undertakes not to disclose or transfer any of the Employer’s Personal Data to any third party without the prior written consent of the Employer save that without prejudice to Clause 2.3 the Consultant shall be entitled to disclose the Employer’s Personal Data to employees and third parties to whom such disclosure is reasonably necessary in order for the Consultant to carry out the Services, or to the extent required under a court order. 2.5 . The Consultant shall: 2.5.1 : take reasonable steps to ensure the reliability of any Consultant Personnel who have access to the Personal Data; 2.5.2 ; ensure that all Consultant Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 2; 2.5.3 ; ensure that none of Consultant Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Employer;; provide a written description of the technical and organisational methods employed by the Consultant for processing Personal Data (within the timescales required by the Employer); and not Process Personal Data outside the European Economic Area without the prior written consent of the Employer and, where the Employer consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Employer. The Consultant agrees to use all reasonable efforts to assist the Employer to comply with such obligations as are imposed on the Employer by the DPA. For the avoidance of doubt, this includes the obligation to: provide to the Employer such access as may be reasonably required from time to time to all Personal Data stored or processed in the provision of the Services under this Agreement in order to enable the Employer to meet its obligations to respond to access requests from Data Subjects under the DPA; provide the Employer with reasonable assistance in complying with any request for information served on the Employer under Section 7 of the DPA; and notify the Employer (within five Working Days) about the receipt of any such request received by the Consultant under Section 7 of the DPA or complaint or request relating to the Employer’s obligations under the DPA and not disclose or release any information (including the Employer’s Personal Data) in response to such a request or complaint without first consulting with the Employer, where the information sought relates to the Employer, its employees, agents and/or its business operations; provide the Employer with full co-operation and assistance in relation to any complaint of request made, including by: providing the Employer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Employer's instructions; providing the Employer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Employer); and providing the Employer with any information requested by the Employer; The Consultant shall comply at all times with the DPA and shall not perform its obligations under this Agreement in such a way as to cause the Employer to breach any of its applicable obligations under the DPA. The Consultant shall indemnify the Employer against all claims and proceedings and all liability, losses, costs and expenses incurred in connection therewith by the Employer as a result of the Consultant's destruction of and/or damage to any of the Employer’s Personal Data processed by the Consultant, its employees, agents, or any breach of or other failure to comply with the obligations in the DPA and/or this Clause 2 by the Consultant, its employees, agents or sub-contractors. The Consultant shall appoint and identify an individual within its organisation authorised to respond to enquiries from the Employer concerning the Consultant's Processing of the Employer’s Personal Data and will deal with all enquiries from the Employer relating to such Personal Data promptly, including those from the Information Commissioner and will to the extent reasonably necessary co-operate with and assist in ensuring compliance with any Data Subject rights of data access, correction, blocking, suppression or deletion relating to the Employer’s Personal Data and in the defence or management of any enforcement action or assessment by the Information Commissioner or any other competent authority in relation thereto. The Consultant undertakes to include obligations no less onerous than those set out in this Clause 2, in all contractual arrangements with agents engaged by the Consultant to provide the Services to the Employer.