Common use of DATA PROTECTION & SECURITY Clause in Contracts

DATA PROTECTION & SECURITY. 12.1 The Contractor shall comply with all applicable requirements of the Data Protection Laws. 12.2 The Parties acknowledge that for the purposes of the Data Protection Laws, NUI Galway is the Data Controller and the Contractor is the Data Processor in respect of Data which is Personal Data. 12.3 Without prejudice to the generality of clause 12.1, the Contractor shall, in relation to any Personal Data processed in connection with the performance by the Contractor of its obligations under this Agreement: (a) process that Personal Data only on the written instructions of NUI Galway; (b) ensure that it has in place appropriate technical and organisational measures, as may be reviewed and approved by NUI Galway, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (d) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (e) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of NUI Galway has been obtained and the following conditions are fulfilled; (i) appropriate safeguards are in place in relation to the transfer, to ensure that Personal Data is adequately protected in accordance with Chapter V of Regulation 2016/679 ( General Data Protection Regulation); (ii) the data subject has enforceable rights and effective legal remedies; (iii) The Contractor complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and (iv) The Contractor complies with reasonable instructions notified to it in advance by NUI Galway with respect to the processing of the Personal Data; 12.4 The Contractor shall promptly notify NUI Galway if it receives a Data Subject Access Request to have access to any Personal Data or any other complaint, correspondence, notice, request any order of the Court or request of any regulatory or government body relating to NUI Galway’s obligations under the Data Protection Laws and provide full co-operation and assistance to NUI Galway in relation to any such complaint, order or request (including, without limitation, by allowing Data Subjects to have access to their data). 12.5 The Contractor shall without undue delay report in writing to NUI Galway any data compromise involving Personal Data, or any circumstances that could have resulted in unauthorised access to or disclosure of Personal Data. 12.6 The Contractor shall assist NUI Galway in ensuring compliance with its obligations under the Data Protection Laws with respect to security, Impact Assessments and consultations with supervisory authorities and regulators. 12.7 The Contractor shall amend, delete (and provide confirmation thereof) or return Personal Data and copies thereof to NUI Galway on termination of this Agreement unless the Contractor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Contractor to store the Personal Data. 12.8 The Contractor shall permit NUI Galway, the Office of the Data Protection Commission or other supervisory authority for data protection in Ireland, and/ or their nominee to conduct audits and or inspections of the Contractor’s facilities, and to have access to all data protection, confidentiality and security procedures, data equipment, mechanisms, documentation, databases, archives, data storage devices, electronic communications and storage systems used by the Contractor in any way for the provision of the Goods and Services. The Contractor shall comply with all reasonable directions of NUI Galway arising out of any such inspection, audit or review. 12.9 The Contractor shall fully comply with, and implement policies which are communicated or notified to the Contractor by NUI Galway from time to time. 12.10 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 12 and allow for inspections and contribute to any audits by NUI Galway or NUI Galway’s designated auditor. 12.11 The Contractor shall:- (a) take all reasonable precautions to preserve the integrity of any Personal Data which it processes and to prevent any corruption or loss of such Personal Data; (b) ensure that a back-up copy of any and all such Personal Data is made at least daily and this copy is recorded on media from which the data can be reloaded if there is any corruption or loss of the data; and (c) in such an event and if attributable to any default by the Contractor or any Sub-contractor, promptly restore the Personal Data at its own expense or, at NUI Galway’s option, reimburse NUI Galway for any reasonable expenses it incurs in having the Personal Data restored by a third party. 12.12 NUI Galway consents to the Contractor appointing third-party processor(s) of Personal Data under this Agreement if written permission is sought from and provided by NUI Galway in advance of such engagement. The Contractor confirms that it has entered or (as the case may be) shall enter into a written agreement incorporating terms which are substantially similar to those set out in this clause 12 as between NUI Galway and the Contractor, the Contractor shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 12. 12.13 Save for clauses 12.1, 12.2, 12.3 (d), and 12.4, all the obligations on the Contractor in this clause 12 relating to the processing of Personal Data shall apply to the processing of all Data. 12.14 The provisions of this clause 12 shall survive termination and or expiry of this Agreement for any reason.

DATA PROTECTION & SECURITY. 12.1 The Contractor 9.1 Both Parties shall comply with all applicable requirements of the Data Protection LawsLegislation. This clause 9 is in addition to, and does not relieve, remove or replace, a Party's obligations under the Data Protection Legislation. 12.2 9.2 The Parties acknowledge that for the purposes of the Data Protection LawsLegislation, NUI Galway the Client is the Data data controller and RightsDD is the data processor (where Controller and Processor have the Contractor is meanings as defined in the Data Processor Protection Legislation). Schedule 5 sets out the scope, nature and purpose of processing by RightsDD, the duration of the processing and the types of personal data (as defined in respect the Data Protection Legislation, Personal Data) and categories of Data which is Personal DataSubject. 12.3 9.3 Without prejudice to the generality of clause 12.19.1, the Contractor Client shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to RightsDD for the duration and purposes of this agreement. 9.4 Without prejudice to the generality of clause 9.1, RightsDD shall, in relation to any Personal Data processed in connection with the performance by the Contractor RightsDD of its obligations under this Agreement: agreement: (a) process that Personal Data only on the written instructions of NUI Galway; the Client unless RightsDD is required by the law to do so and shall promptly notify the Client of this legal requirement before performing the processing unless that law prohibits such information being given on important grounds of public interest; (b) ensure that it has in place appropriate technical and organisational measures, as may be reviewed and approved by NUI Galwaythe Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ; (d) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (ec) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of NUI Galway the Client has been obtained and the following conditions are fulfilled; : (i) the Client or RightsDD has provided appropriate safeguards are in place in relation to the transfer, to ensure that Personal Data is adequately protected in accordance with Chapter V of Regulation 2016/679 ( General Data Protection Regulation); ; (ii) the data subject Data Subject has enforceable rights and effective legal remedies; ; (iii) The Contractor RightsDD complies with its obligations under the Data Protection Laws Legislation by providing an adequate level of protection to any Personal Data that is transferred; and and (iv) The Contractor RightsDD complies with reasonable instructions notified to it in advance by NUI Galway the Client with respect to the processing of the Personal Data; 12.4 The Contractor shall promptly notify NUI Galway if it receives (d) assist the Client, at the Client's cost, in responding to any request from a Data Subject Access Request to have access to any Personal Data or any other complaint, correspondence, notice, request any order of the Court or request of any regulatory or government body relating to NUI Galway’s obligations under the Data Protection Laws and provide full co-operation and assistance to NUI Galway in relation to any such complaint, order or request (including, without limitation, by allowing Data Subjects to have access to their data). 12.5 The Contractor shall without undue delay report in writing to NUI Galway any data compromise involving Personal Data, or any circumstances that could have resulted in unauthorised access to or disclosure of Personal Data. 12.6 The Contractor shall assist NUI Galway in ensuring compliance with its obligations under the Data Protection Laws Legislation with respect to security, Impact Assessments breach notifications, impact assessments and consultations with supervisory authorities or regulators; (e) notify the Client without undue delay and regulators.in any event within 48 hours on becoming aware of a Personal Data breach; and 12.7 The Contractor shall amend(f) at the written direction of the Client, delete (and provide confirmation thereof) or return Personal Data and copies thereof to NUI Galway the Client on termination of this Agreement unless the Contractor agreement other than any copies RightsDD is required to retain by the laws of any member of the European Union or by the laws of the European Union applicable to the Contractor to store the Personal Datalaw. 12.8 9.5 The Contractor shall permit NUI Galway, the Office of the Data Protection Commission or other supervisory authority for data protection in Ireland, and/ or their nominee Client consents to conduct audits and or inspections of the Contractor’s facilities, and to have access to all data protection, confidentiality and security procedures, data equipment, mechanisms, documentation, databases, archives, data storage devices, electronic communications and storage systems used by the Contractor in any way for the provision of the Goods and Services. The Contractor shall comply with all reasonable directions of NUI Galway arising out of any such inspection, audit or review.RightsDD appointing: 12.9 The Contractor shall fully comply with, and implement policies which are communicated or notified to the Contractor by NUI Galway from time to time. 12.10 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 12 and allow for inspections and contribute to any audits by NUI Galway or NUI Galway’s designated auditor. 12.11 The Contractor shall:- (a) take all reasonable precautions to preserve the integrity of any Personal Data which it processes and to prevent any corruption or loss of such Personal DataGoogle Cloud Platform Services; (b) ensure that a back-up copy of any and all such Personal Data is made at least daily and this copy is recorded on media from which the data can be reloaded if there is any corruption or loss of the data; and (c) in such an event and if attributable to any default by the Contractor or any Sub-contractor, promptly restore the Personal Data at its own expense or, at NUI Galway’s option, reimburse NUI Galway for any reasonable expenses it incurs in having the Personal Data restored by a third party. 12.12 NUI Galway consents to the Contractor appointing as third-party processor(s) processors of Personal Data under this Agreement if agreement. 9.6 The Client consents to RightsDD appointing other third-party processors of Personal Data on written permission is sought from and provided by NUI Galway in advance of such engagement. The Contractor notice to the Client. 9.7 RightsDD confirms that it has entered or (as the case may be) shall will enter with third-party processors into a written agreement incorporating terms which are substantially similar to those set out in this clause 12 as 9. 9.8 As between NUI Galway the Client and the ContractorRightsDD, the Contractor RightsDD shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 129. 12.13 Save for clauses 12.1, 12.2, 12.3 (d), and 12.4, all the obligations on the Contractor in this clause 12 relating to the processing of Personal Data shall apply to the processing of all Data. 12.14 The provisions of this clause 12 shall survive termination and or expiry of this Agreement for any reason.

DATA PROTECTION & SECURITY. 12.1 The Contractor shall 15.1 Both parties will comply with all applicable requirements of the Data Protection LawsLegislation. This clause 15 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 12.2 15.2 The Parties parties acknowledge that for the purposes of the Data Protection LawsLegislation, NUI Galway the Customer (or the Service Recipient as appropriate) is the data controller and Egton is the data processor (where data controller and data processor have the meanings as defined in the Data Controller Protection Legislation). 15.3 Annex 1 sets out the scope, nature and purpose of processing by Egton, the duration of the processing and the Contractor is types of Personal Data and categories of Data Subject (both as defined in the Data Processor in respect Protection Legislation). The parties may, from time to time, update Annex 1 to reflect any changes to the scope of Data which is Personal Datathe processing. 12.3 15.4 Without prejudice to the generality of clause 12.115.1, the Contractor Customer (and/or where appropriate the relevant Service Recipient) will ensure that it has all necessary rights and notices in place to enable the lawful transfer of the Personal Data to Egton for the duration and purposes of the Agreement. 15.5 Egton shall, in relation to any Personal Data processed in connection with the performance by the Contractor Egton of its obligations under this the Agreement: (a) : 15.5.1 process that Personal Data only on the written instructions of NUI Galway; the Customer or where appropriate the relevant Service Recipient (b) unless otherwise required by law); 15.5.2 ensure that it has in place appropriate technical and organisational measures, as may be reviewed and approved by NUI Galwaythe Customer (and/or where appropriate the relevant Service Recipient), to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising measures; 15.5.3 take all reasonable steps to ensure the reliability and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience integrity of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (d) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (e) Data; 15.5.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of NUI Galway the Customer (and/or where appropriate the relevant Service Recipient) has been obtained and the following conditions are fulfilled; : 15.5.4.1 the Customer (iand/or where appropriate the relevant Service Recipient) or Egton has provided appropriate safeguards are in place in relation to the transfer, to ensure that Personal ; 15.5.4.2 the Data is adequately protected in accordance with Chapter V of Regulation 2016/679 ( General Data Protection Regulation); (ii) the data subject Subject has enforceable rights and effective legal remedies; (iii) The Contractor ; 15.5.4.3 Egton complies with its obligations under the Data Protection Laws Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) The Contractor and 15.5.4.4 Egton complies with reasonable instructions notified to it in advance by NUI Galway the Customer (and/or where appropriate the relevant Service Recipient) with respect to the processing of the Personal Data; 12.4 The Contractor shall promptly notify NUI Galway if it receives 15.5.5 assist the Customer (and/or where appropriate the relevant Service Recipient), at the Customer's cost, in responding to any request from a Data Subject Access Request to have access to any Personal Data or any other complaint, correspondence, notice, request any order of the Court or request of any regulatory or government body relating to NUI Galway’s obligations under the Data Protection Laws and provide full co-operation and assistance to NUI Galway in relation to any such complaint, order or request (including, without limitation, by allowing Data Subjects to have access to their data). 12.5 The Contractor shall without undue delay report in writing to NUI Galway any data compromise involving Personal Data, or any circumstances that could have resulted in unauthorised access to or disclosure of Personal Data. 12.6 The Contractor shall assist NUI Galway in ensuring compliance with its obligations under the Data Protection Laws Legislation with respect to security, Impact Assessments breach notifications, impact assessments and consultations with supervisory authorities and or regulators.; 12.7 The Contractor shall amend15.5.6 notify the Customer (and/or where appropriate the relevant Service Recipient) without undue delay on becoming aware of a Personal Data breach; 15.5.7 at the written direction of the Customer (and/or where appropriate the relevant Service Recipient), delete (and provide confirmation thereof) or return Personal Data and copies thereof to NUI Galway the Customer (and/or where appropriate the relevant Service Recipient) on termination of this the Agreement unless the Contractor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Contractor law to store the Personal Data.; and 12.8 The Contractor shall permit NUI Galway, the Office of the Data Protection Commission or other supervisory authority 15.5.8 allow for data protection in Ireland, and/ or their nominee to conduct audits and or inspections of the Contractor’s facilities, and to have access to all data protection, confidentiality and security procedures, data equipment, mechanisms, documentation, databases, archives, data storage devices, electronic communications and storage systems used by the Contractor Customer (and/or where appropriate the relevant Service Recipient) or its designated auditor in any way for respect of Egton’s data processing activities under the provision of the Goods and Services. The Contractor shall comply with all reasonable directions of NUI Galway arising out of any such inspection, audit or reviewAgreement. 12.9 The Contractor shall fully comply with, and implement policies which are communicated or notified to the Contractor by NUI Galway from time to time. 12.10 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 12 and allow for inspections and contribute to any audits by NUI Galway or NUI Galway’s designated auditor. 12.11 The Contractor shall:- (a) take all reasonable precautions to preserve the integrity of any Personal Data which it processes and to prevent any corruption or loss of such Personal Data; (b) ensure that a back-up copy of any and all such Personal Data is made at least daily and this copy is recorded on media from which the data can be reloaded if there is any corruption or loss of the data; and (c) in such an event and if attributable to any default by the Contractor or any Sub-contractor, promptly restore the Personal Data at its own expense or, at NUI Galway’s option, reimburse NUI Galway for any reasonable expenses it incurs in having the Personal Data restored by a third party. 12.12 NUI Galway consents to the Contractor appointing third-party processor(s) of Personal Data under this Agreement if written permission is sought from and provided by NUI Galway in advance of such engagement. The Contractor confirms that it has entered or (as the case may be) shall enter into a written agreement incorporating terms which are substantially similar to those set out in this clause 12 as between NUI Galway and the Contractor, the Contractor shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 12. 12.13 Save for clauses 12.1, 12.2, 12.3 (d), and 12.4, all the obligations on the Contractor in this clause 12 relating to the processing of Personal Data shall apply to the processing of all Data. 12.14 The provisions of this clause 12 shall survive termination and or expiry of this Agreement for any reason.